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_oo YtSMftL eV Q& O-* et> fc>0 OS — ^ f^O O £3 CJ ^ ✓ 

^*-»»— eQ ob <D& O^X && 1 s OS — fc> Q CD 8 

OOi 0600 Obe S O^OS^^je^ p^QS _t>Q e& <^ fc 



O -7 //I 



i -i c> -t o cr> o o i n 



jlAjJlj djLujjjjiill <J£ (jc CjLg jIslxJI till jSjj j^a _^ jJI 4_^il<J! (HWfTffs^u^^ J ^—^jj^ c * lP 3 ^^ 6 ^ c * q ^l 

^jCr L_flj£ii3l j& SAa. jll £>i& (j-a ^^jaLiJ^)]! L_fl^Jl ib.n jj^l (j-a (_£ jJlxJl .Ua AjIa^JI 4_^.Ha1I S^Lja-all j^l^l c allai a <J j^. Jjj^lilll ^ 



i 



^^^^^^^^ 




(worms) t 3 ^ 1 



(^)jjiJlj cjI^jj^I Virus And Worms Concept 7.1 



^jli t^llxJI ^L^Jl ^ia^. ^ ,A-i> uJI jj (JLacVl ^UaS <J£ ^ bLaia ciiisu (jl tjSaW I^j^ jj jj;^^ djLuj jjja 

^xi^jja^ ^ 6^C.Loiaj ia^a ^-l^jLkJl CjVI L_ll> ^>*^ (jl diLajj jjiill (j^J ttilli ,CjliL<Jl (j>» 6J;1C. L-lb gaJ (jl <i£-aJj (J?^*-* 

<iA£ JlaJ (_£^)^-V! CjLujjjjiill <j^aLaJI ^1 j^VI Jj* '^V ^^>?^ jfi Jj;^^ ^3^'^ J^J^ ^-'-"JJ^I lP 3 *^ ■ jj;^^ 

;AjJ±aJI ^xil^)i3l (j-d CjUa Cj^\j (ilLlA .liLai ^Hala L_fl^)Ia ^jQ^'^j 

Trojans and rootkits 
Viruses 
Worms 
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^Uaill (J^jia (jC- Ujlilj <jt.lpJt JJ^Lili .S^lxJl j 4_ll^<Jl S j^-Vl (j-a L-lAi *aJ (jl 1 g £ dJ c _^j3I 4*JJ^ £C-J C _^A (WOFIIIS) (j^-^ 

_^J^)Jujl ^>flXJ <^^J ^ 

Virus Characteristics 




Infects Other Program 



Transforms Itself 



Encrypts Itself 





Alters Data 



Corrupts Files and 
Programs 



Self Propagates 




(Virus and Worm Statistics) O'^J ^^jj^JI CP cjUjU^VI 

http://www.av-test.org/en/home 

^ £)j£a 70 ^ ^ J '2012 ^1 ^ u^- '2008 u'^' J JJ^ i> ' <laaa ^uhiVl 




(Stage of Virus Life) SUa S jjj 

Uu3 JiLdJJ JJ CjLuj jjjS oLl^. 6JJ^3 

: (Design) ^a^J) 4-U>» -l 

.CjLojjjjiill pUSajj ajjojLojVI a^jJI CjUL Ai^x-A ui .{Construction kits) CjIcj-a^ 
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: (replication) jLi^VI/^aJt -2 

^j£| Jc a^j! yj jjjS JjuUJ CAjoj JJJ^ll jjjlaxa ^aj£j La S^tc .(j-a jll L>^ ^J"^ J^ C fl^Luaxll ^aUajll <J^.I,J J-^^W ^ J> (*J^ 

(jl (Jjfj £Cjuu3I (j-G A^C Jj£l JjuU J& tilli J L_JJjuJ| tl^J t aK^U a Jjj* ill | jljVl CjI^L (JjJJJjill I.JJJ (JjfS 4_L^kjuJl CjUjoiL^J! (jx» ,J,JC 

J^-IaJ (jl (jj,J l^J cJ^J ^ ^ } ' ^ ^ Jj diLuj JJJ^I 4_L^.j-<Jl fti& J 4<! ft^LjaxJl £cx»l jj3I £jJaj3 ft,J ja. jl CjLaijjjill <LgjLL* CjI^jjoi 4_iijj 

:(Lunch) ^L^t/jillaVt -3 

J lajulb ^^£3 (Jjj Jjjill 4-^-ajJ ^aJJ ^ .0^*^ C-J^. ^ j3 j ,jjc lg_J ^Ij^U 1 (p^ ^JJ ^aJ jJl 4jjJ<vVill J^VI Cjl^jj iaLaiill J CjLuj JJJall l-^JJ 
jIjVI ^ . ll > L_baiL^Jl Jj (Jjj JJJall (j-a J^j ^ j^ <J J ^—^J^V^ ^. u * J JL^jVI • J ^ c ' J' ^ ^-^J^ L^*-^ , ^ c ' j' U^*^ c — ^ 

jl*-* 4ijjjuj jl £c-aljJ S-ti-Ij jl (jjj^jll J 4_JLkJl CjL^LaixJl til^yl^Jjail jl L-buA^Jl Jc <J*j^x» ClAiLa JJ-S.JJ (j* ^ JJJJ <LjjJ>»,Jj3l 

: (Detection) lhjj^* tiLiS) -4 

(jj£j* ;(jjjjjji3l iaUdj 4_iLgc Laj|,J ft j^^ SI £JJJ V A3 ^Ai^jjai^J! 4_xJajVI <jU^U ^ j3l! CjI,jj,J£J 4_gil Jc (jjjjjjill Jc L_fl^*j3l ^aJJ 

# iajaii3 (jl <Jj3 (Jjj jjjall ^ j^- j t ajujj^J Uaj jj£I CjLuj JJ^I ^ 2^l^>^ dil^jjaJl 

^jjj jj ^^£3 tAixjifla j (jjj jj^l I^a ajc 6, wi^l djUV jlU ^jlaioil j ^ icse JJ^ c ^ ^3 ^•^ c - 

.dAjujjjjall 4^jlL» ^x»l^)i3 4_^Ha3I CjI^jjoJI J£ I^JLujjIj CjUj jlx-<JI 
^Incorporation) o-u^UJI/^aIjaJI -5 

(Jj^lL ^Ixi^JjauJl ^aj£j ^^txil^Jl Cjl ^\ AJ^aill fti^ AiljJal ^aJJj 4^L_bajL^Jl djUJ A^U ^Jjj Jj^l ^1 Jl ^-J L_Li£j ^5 ill J j^ll <J 4 > <al ^ 

j^joiI Ajjoj Jl (Jj^j fti^ 4<j jlLJl ^n.^lj (Jj-gjIjj tdijjljVI a£jjoi Jc a£jjuo3I ja Jc ^j-Q ^AxjII Asu djlilxJl 

: (Elimination) 4JljVI/JU^VI -6 

jIjI jjoi^jj t^jjjjjjiil! Jc ^^jJa^jj t ftjujJ^J ^31 Cj!>bAsij3lj ^jjjjjjiill 4^jlLJ ^ j; ^Lq>1^Luia]| (j-a (j -0 *^J^ ^4 

^Ljakll ^aJ A3 CA AjujL^JI CjLuj j Jjfl A^.1 ^jl ^jVI J^ A^Ull ^aJJ -c ^a31sl!I CjU» jIslaII ^xU^xJ ft^J^^J ^-J^ ^>aia JJ dlla J ^jjjjjjill li^ 
L— Lia ; 4 ^ Jj ^ ^J' ^ a ^ ^JJ^^ L>^ '^^^ ClAjji JJJ^I dillft (j^j t^llxJl J ^ - uj L-1jujL^ ^1 Jc A^-jJ V J U»LdJ 

.^-ojL^JI jl Ajj^kjaJI CjI AjujLaJI ^^^jjouJ JL^JI CjS jll J ^'^j cJ^^ ^ 
Working of Viruses: Infection Phase J^p ^jla 

:c jl jSaj V I^jV cP^ i^t^ djI^Vl ^ Jio Jj £-liaj CjLaijjjill .cjI^VI i> '^Ul^VI 

(Self-start) Usli ^ - 

(Infect other hardware) cij^Vl Sj^Vl t jj ' ^ - 

(Cause physical damage to a computer) j^j^ Jj aj^I jl j^Vl uiuu - 
(Transmit themselves using non-executable files) i^ 1 ^ ^al^kl^U l^ij JS2 

. f 6 ^ ^-^J^J c^J^I ^-^J^ ' vJ^^ J A Jj f 1 V CjLuuJjj1]| J-aP Laj^P 

.^Ui^l J (.exe) Jj^I <-flLJI Jl i>^!j£l Jsujj ^ajij -Luij ^cjudL ^jj^l t (Infection phase)^j^> 

IgJjAsu ^aJ Jll gxl jJl jVI 

djUai^jll (J^asu 4j^3 CjLuj JJ^I ^Jjlaxi Luj JJ^I ^1 J^l Jl L^^J^* J^^^^^ I— t^jjj jjjilb L-jU^dll ^xilj^)i3l <Jj,t_>. , >ij 

;JlL<i ft^C J-dl jC ^jjJ ^jjl jjll Jc iali^ll 

?^jjjjjji3l L-JJj gaJ L_fl jjui L_flj£ 
V^j "J JJ Q ^ I^A Jjujlijj L_fljjoJ <. SJ^ — 
?4itjau£! ^aJJ (jl (JJ^ (j-« L_fl^Jl JJ jJJX^ll ftj^li J ^aJflJ L_fl jjoj C flj£ 
JJ jJJ^ll jl^a. UJ^ ^•^C ^dl jJl Ajilil (Jjiall (j-d AjAxJI cilLiA .La <ij]a jJ ^a j£j* lA^jjjj j l^-La nil {j^J CjLuj JJJ^ll (jl t^jJa! jll (j-« 

l^jLaijj ^aJ jll 2^^^^^ (j-° AjAsJl ^gC^LoaJ L_fl jjoj ^cxil jJl (jxi (_^l C-UJJJ ^aJJ Ld^JC L— Ll^ 4^Jll<Jl C-S^f^ J^ .(J-^l J J 
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(jjojjjal! £c*li jj jt£ IaIs < JUlLj <laju>jlA ^1 jJI £>a& <j* o^xjj < (built into a system)<^-^ c_iLa <j* iiia^a l j 

4_jaLjaVl AjAaII ^c^I^JI j>* aja»JI *&^-^\j(exccution) ^ j^l I^a ^ l^-La q*^ j£-GJ 6<J*i3lj ^ 

J t^)^l t flLa jl £c^lj^)J UUj J c^/^J j^a taAl J Ja j^ > <o^> £cxilj^)j3 AjLulg <J£juU Q ^ J^ *JJ^ O 1 

Ale j .^jjjjj^I Al j£I Jl Auiiill cJ^% W 4jUu1su Jacj ; Jj^aVI £c-aUjJl Jl £>Al j£l c _flbjai A3 (jjjjjjiill jj^J 6<J jlxJl <J iffill CjliLJl 
i>A& Ajc j . Jj^VI £c-ali^)J! CjI <uLlj Aaijj] 4_ij\ia A^xj ^aJ tlA.^n^ jj^l l— ll <uLlj Jl SaIc £caIj^)JI j£lLl 4L_jL^xJI ^Auiiill L_aLJl <J^*-^ 
jjuiU^ll <J-ax-II JJ^ (J^ j) ^ la^Ju^J Jj3 <1a^q (Jjj JJ^ll ^i} A3j .Ij jLa ^>l <il j tUajuilj JJ^I UJ-^ ^ laSill 

<iila j ^Ia^IuAj m a IjA^ I jh'na Sj^IaJI J I <Jj Ia Aiijj A^)^aj jl^-aJ) l. n > ^ j V ^>^-VI (jlaxJl tillaA jl ^(diveCt-UCtioil) 

^jj ^it > ^1 I ^ < JULjj .SaIc J^_£i]| ^Jaj Jll <( TSR< terminate and stay resident) "SjSlilt J 

J 4_xuLJl ^Ijill <L^ll<Jl ojjU^ll CjUjI^^I! . m 4_ajLJI" djLojjjjiill l^Je (ji^Jj ^Ajil! aA^J diLoajj^l 4_iJlc. (^lijj 4_ilc L_fl^xj3l 

<JLgcVI j-a jJJ^llj) (JjjjUJI CjI jijj ^jjILJI jl dAiaxjJa j>i CA aLJ] ^^JaUl^Vl ^cjouIIj Cjlinlalill cJ^*-^ L)^ tft^Slill 

A£jjoi3I (j^aljSI j ( . (iL^jS (scan) tl^lftC A CjLuj JJ^l laJ > >n (^jll JJ-«VI j-a J . j^«-^ <«— J^a. Ajc tiljlg-a. ^^ic <l<^xi 

uL$ ±la EXE<-^ uaj£ JUJ) JliJ) J) jlalUfl 
After Infection 

.EXE File 



r 



Before Infection 

.EXE File 



Clean File 



c 



File Header 



■ Start of Program 
End of Program 




Ffle Header 



IP 



} 



■>■ Start of Prog ram 
End of Program 



-■ Virus Jum p 



Virus Infected 
File 



V jl l-iaIj <jla a aUl 4jL^al ^j^-aj <j^3 j .(JjfSajll i}pu!£ lAii l^Jli 4<LiJjj ^jj UAic t EXE^^^ u^U t J£JJI Iaa J 

nil aI ^xJI J^kill aI j£I Jl Jilij ^ Vjl 1^ uSSi u^jj^ll ^1 j^U ^aUJI CjUjLuII Jl 
dAiLa i source code Ajj^aill CjliLJI . ,\iqViU Jjla ^jjWi ^li^j Jl A^hi iajj (Jjja <jc CjliLJI <jL^aU ^ jj^II 

.(jjjjjjiilU ^jAxll <Lola ^ lilA&l jflsu ttilli Jl Uij ;Ciijj£jaiVl CjliLdj patches 
jj j^f^l J^-^ ^ cJjS J jVI ^tUI J Igj ^aUJI a! j£VI iiiiij ^ ji5 (Boot Sector Virus) J ^ - ^ l ^UaS djLoj jjja 

. jl^-aJl l!^*-^ (j -0 ^^-^j j^A-dll j-d <jl C— CjLuj jj^l ^1 jjl ^>ia^.l ^A j t fl^il 

CjULJI ALuoaU Iajj l^Jli t^^JI ^Uaill ^L^Jl J Ju^±^h djLoj jj^l ^ jl ^j^j ^ (Attack phase) ^-^j^ ^ 

^axJ _t aj^aII ^Uaill ALaiaV Uj.^i'iU aU^II ^)fl*J J^lj C-jl^-VI (J^ju Jl ^"ll^J CjLujjjjiill (J^asu ,L_flJjJaxJl ^Uail! J 

/djjAJI CjSj SaU jj CjliLJl L_fli^. JiLd <JajudjVI (jlaxJJ ^^ilj tl^ udij JJ^J J^^J bUgS ClaLoa JJ^I 
^ j£i L_flA^Jl 4^<JajVI f>^t jll CjLuj JJ^I fth* ^ . jJjJa^ll Jj3 j-d A j.ui!a3I j^JI Jc l& jjaij Asu Ja^S L_fllAAVI ALuaaU ^ jflJ l^jl L— Ll^ 

; JVI tljUl J^l .\l4Yl1 
,^Uai!l ( . UjujJ JU3Uj tdjUUill CjliLo J CjUjI^ a\\ JjllxJ j CjliLJl c flA^ 

cIa! - 





Unfragmented Fi 

File: A 


le Before Attack 

File: B 


Page l X 




III 











lenlnd Duo to Virus. Attack 



Page : 1 
File: A 



Pager 3 
File - e 



Pager X 




^ https://www.facebook.com/tibea2004 



567 



j^VI jij Ia^I j I ytli (j^LJI j) a^j i J jVI ^laL&II ,B j A dial*]! ^ jjjjl Uajc Uj| Aaia 6<LLaJI Sjjj^all £>a& ^ j^>j^ 

^a^C Jl C^^JJ 'Jl J^l Ig-XjJaj ^aJ jll dlliLJl £3 1 j>» JJ*^ ^ajli ;L_aLJl 4_Aj^Ij (jjjjjjill ,j| j£l ^LiS ,Jja*AJ m A aiala <LjlaJ 

.CjIA^-VI (J^aXJ (J^T.t.'iiJ ^aJJ LiA^C (JaxJ lIAjuJ JJJ^I 

cAijJaxJl Dj£li3l J <jj Asu <l^ga<JI £c*I jJI (BUGS) £^*^.l 6^Luoal j J a<uxj 1 g > >v* j 

.Aa> - ail J] L_flJjJaxJl J J'**" (j! Asu I AJJ ^a ja^Jij tlfcj J^-J r^^V L-jLaijjjill - ^» a 4_jIj£ ^aJJ 

j ( . lWii] Iagc t (^cybcv-cvifninul)^-^-^^ jjj |>1 ^ l) ci^ ^ j^-^j ^ j jjj^II cjLuj jjjs 



diljUJl JJ*,Vfl CjLuj JJJ^I \y^. ^—^J^V^ CS^^)^ A*-^-' 1 ^ ^^5^ ^ J ^—^JJ^ ^-Vjudjj ^aJJ 6 La j-oC .^aUajll J SjxiAall Cj^I 

.A£ j^JI diUaid jJy>Ai3 jl <4j*. jJl jl l_jjj^j3I JUc^I (j^ J^x£ <a£ j^JI J 
# djliLJl J ILLoj *L^A<Jl CjLuj JJjill c flAa (j^J^a (j£- ^aUaill e-bl (jjjui^jl aAA i**U<<u ^ j _^Uall3 oAl^. (jj^J (jl j3l ^ 

; L5 j^I J^uu j CjLuj jjji]) AjU£ ^Jl cjjj ljUujVI (j^u Lu2 

inflict damage to competitors uj >>1 ^^^ jj^^ c3^j 

Research projects &J^* - 
Pranks ^3^^ 
Vandalism s^j^ 
Attack the products of specific companies cJSj^ c^Ulu a^Jl^ - 
Distribute political messages cJj^j & jjj - 
Financial gain s^l^ - 
Identity theft ^j^l - 
Spyware u > iu o^ l 2^1jj 
Crypto viral extortion J'j^VI 

t -JJ > <aJ (jl CjLuj Jjjisll (j^-GJ .^aUI 4j!^J (jjjJaC- ^ diWl (j-« I^^C ( JJ > <aJ (jl (j£-aJj <C jjudJ jjI^jj ^j| <Jj-gj <!lxill (Jjj JJ^I 

^a^l j^. (j>» o^lilojVI ^ajl (jjjjjjiill (j£-ajj J ^jIc> (jjL^^j (jjiJl (jj>»A^jjaa>Jl > L-ib (jl (j^J cl^Jkj Ale ^_5^lj Word i— 

; JJ jJAx^ll ^aUaj ^^ic (Jjj JJjiJl ^ J^- J ^^-^ CjIjjoi^ ^^Jj Uu3 j ,CjliLiH L-JJj <aJ (jl J^.l (j-o diliLJl 

_ (Jjy^jll (J ^Ja| tjSj ^jjijjaaJ ^L^ljil! 
^^cxiljJl (jxi (_^l CljJjjj (jj^ (j>i (^^J^. 6<C. jU <Ja.Latxi ^^ic (_^jliJ V ^ ^ ^ Lftjb t ■ iL^all (j^ajall 
.^UlAkloal ^a^C dila jl ^ C5 ja lS^xj 6AiJ L. iL ^il l <j-aj£3l jl (Floppy MsK) (j-aljSVI 

.^Uajll ^^ic jj^Jall ^^ic lafll a CjliLo 

, JJL galll jl ^JC. CjI jj^I CllsUJ JJ jJlx^ll jl ^JjlLJl <Ja. jl 

^ ^ ^ Jf- (Ajl >q jjuj j (^j^ajJLJ jJjJAa^II AjujIjjj — 

,1^j1c L_fljxj3l l-jxj aj Ui U3lc.j 4<jjjc. ^LgjojI ^1 CjliLJI ^LgjojI Jjj^j 
(Floppy disk - CDROM) ^ j$ ^ c> J^-^^ ^ ^ ^Jj J ^ V l-jL^I I jlll pj^j 

_ jIjaLojIj JJXJJ ^iljjJl ^^>^ 
.^^^SaJ ^alkill j ^alAkloaVI AiS jlil ^alkill 6j£li3l 
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;^JU3| j^jlt (^Ic 4 jjt uj JJ^VI LjjJLoiVl .^—iLuijjjill (j^J^a (jc jj jj;^ jW^ ( ♦ ^ 1 "V C5-^l l3J^I L>* ^-^Jl c*11jA 

tit .4_iauJa]| ^UaJ ^^ic CjLuj Jj^t Jjoiil ^-J jjJ^lVI ^J^ dllaij^ CjLuj jjji]L <jl > ^n^lt CjliLJl (JLojjIj (j^GjSJ S^lc (Jja^l g <^t 

b LjI£Ij ^Uajll L-JJi .^ij jjj JJjiJl tJJjjll 4_iauJa]| ^Js 

.t— iLia ^j;^ cJ^^ C5^] ( _ 5 lc 4_jL^>Jt djLi^ *j;^ cJj^'^j ^ JJ» >*M ^l^IjjII CjLuijjjill £c>»jj qjajLi jj^T^ j ^t 

, L-iL^aJ ^Uailt (jli tAjJJJJj 4_Aj^a3I ^cxaljjll (J-Ia^JJ - *all ^ajL LaJJC 
^Uailt (jlajsu Jii AijjstxJl e-Uaj^VI ^^L^at ^t L_flJ£J <^tj Patch ^— J^t £a L_ Lj laJ jt S.JJ.JJ> Cjljljj^a] Cl UJJJ ^ Jjja 

.CjLuj jJjiU 

.6JJJJ*. djLoj JJJS *aJJ ^ j£j Uiajt g ^t (j^ JJ-all Lia* jl JJ^jJl 

LjjjjJVt SjUalj g-djjjil jjjjH] ^i^luuj ^Ul j 4 jjt mi jjSVI CjLajSISI 

Security Threat Report 2012 ( http : //www . sopho s . com/en-us . aspx ) : j^i^Jt 
Aj^kJt cj Uq » ^ t <ir>* 4_il*i> ^jL 4jj&]| ^ ^t^ki^U :Blackhat Search Engine Optimization (SEO) 

l^jlS j j^Saj ^t c_jjj3t cjUi^a ^ ji^b (j^ ^im^ t ^hau jL jj^l^Jt :Social Engineered Click-jacking 

J j^.^ jl^<» ^ tcil jiJt tAjcjJJt djLauajj>Jt ^> a\ Af)<\\\\ ^\±*iui\ ;Spearphishing Sites 

gSljJI cAi* jj^ ^>xj ^t (AD network) ^^Vt 4£jJJt ^ <in^Jt CjU^ jJt QixjjaS ^ di^. :Malvertising 

^AJlxJt JJJ>Jt A£^>^. <*-ltij 6<CjJjauJt 

.uJalill jljjJI cr^^j ^W^j^' u ji n ^"0 u A > ?n ^ : Compromised Legitimate Websites 

6jUj S^lL iaia SjLja ^t jJt ^jj^aidlt ^Ujj ^ ciit^sult (jiasu Jiiaaj ^.l^lt iDrive-by Downloads 

.djjJjVt aSliA (^ic 4 aiji gait 

Virus Hoaxes and Fake Antiviruses 

Virus Hoaxes i 

j tdjLoj jj^lt .djLoj jjji^lt c_jjil£t <j Aj^aij Virus hoax l^j jt j aL^. jt Ac^a, Ajj^L^jyt ajlIIU Hoax ^^-^ 
Jjs (j-a J^j^ c-H jj^ CP" L - J ^'^^ c5 cs"^ cJ^^j (jc- ^jW^ g-^-c- Hoaxes . , *^ c *^ (i ^yajt cjSlai t\ ^jx-uL 
JLojjU ^A^laA^t ^Jt (jj^lx-<i ^Lij (Jjo^j uj^ 5 *^^ ^ ^ ^ ^ l>^j 'Hoax -SI j> <cUjjt ^ * a< ^ (jii^t jt) Lq ^ uj 

^it j ^ La j t^jjJajVt oj^lt e-LaJt <!Lojj3t jj^ili jj > ^aS cjS j .^uL^aVt <JLujj11 forwarding lU*^ ^ j^'^^l 

LdAjc j m ji*\ ^jlaj c aLa <juoij ^-tj^V ^>^> ,n Vj jj jjj^^t (Jjj jj^ ^jj ."(jj^ jt <iia» ^ jjoj j^Vt 

cdSI t(j£3j m A l£ uLq UJ^ (jl 6 ^ jj;^^ ^jjjjjjS _4_S£julxi I aajoi^ ^a».jVt ^^-icj tUajulj ^jjjjjjilt t^liilt ^c^Ujilt (Jilulj 

L^a j 1 j tCjLujjjjilt ^jc 4_au^alt (jjjLujt l^J (JjjJ djlcLujt QjjjuIIj ^jjjlilt ^J-^l * <A * ^ J^J (Lnjaij Aiila 4 J°J Q ^ CIAjuj j jj£ 

.^j^j^ ^^jj^ Jj^ j^j^ 5 jj cj! jlijj ^ Virus hoax 

^aJj* ^jt l^jLuj j 6<llSLxi ^ JJJ^I ^J^ L^^J op) JJ>^ C5^l J J^ ^ J^ C5^l J ie> '^ Jj 1 ^ *^l L^^J 

-(a UajJl cillij JJ^\ 

^^jjjjjjilt Cjlaajd ^^ic ^ l^juoijt oiA jj laalt JjLojj ;CjVI^JI j^su 

/ fl>Jfrll 4 <JajVt (^Sc AjcjojIj JJ>»^J ^5!^ Djjill djA ciUloJ 
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u' (Hoaxes i^^) Hoaxer £*j j* <> ^ ^1 *Li>Vl "^j" J jUj Hoaxes c> AP*^ 

(j^/qll j Ia^j^j ^j-<i 1 ^ iiaj <L^)iaj Hoaxes J Jk ^ £^^>f^ La JJ 

.^^-> a\\ ajjL^JI cjI^V! ^-J^Uaj (jjjUll ^jL dAi!}lcVl cjL^. j3 (j-^a^i ^J^ 3 ^aLk j 'Hoaxes 
jjjaall/Hoax Jj^ jl*-^ c> £^ . jA*^ ls'^ ls^- ^ J*^ ((j^ill) crosscheck Jj^ 

j,^ ^ cijUi jIslxJI (crosscheck) u^^^j ^ 6 ^ jfui^ll jl±kVI dilc ^ <Jja ^lii jll £>i& jjuu lit La 
djUi jls«-xJI (crosscheck) o^*^f ^ 6 j^f^ ^ <^ ^j^*-* u ^ ^ <jjiJ j& ^>f^JI jjau is'^ *^ ^ 

<! JjlLi ^Ij^js f>jhn 6jUjj] Uiajl ^)juliil ^1L<»j (jl ^yXjjjj 6 jlikV! jjooj clula <*-ijt£ lil La 

(j-G ajLa^JI ^ j*^ C&J^ Cf 0 ^ jf>^i hoax vims j& ^JU«i jii^Vl djL^a j^ill ^ j 



SuhjtCt: FORWARD THIS WARNING AMONG FRIENDS, FAMILY AHDCOflirACTS 

PLEASE FORWARD THIS WARM N6 AMONCV f RlENDS , FAMILY AND COhTACTSI You should be ateft during 

the m\ few day^ do rat open JWff»4Ufe wrth «i jtLxhrnem entnied 'postcard from beiins & 

'RESIGNATION 0 F 6 A RACK OB AM A " r regardless of who lent it to you It is a virus that opens A 
PO VIC A RD IMAG E, then I u r ni ' The w hole hirdCdiHofyour com put€f . 



This k the wont vlriA announced by CNN last everting. It has been clarified by Microsoft as the 
clt « ructl ve vlrui ever . The v n dfttftrtrtd by McAftt y^^c erti ^ nd 1 her v is rvo rgpaii vn 
kind of virus, 



most f 



Th is virus simply deshoyMlWerG Vector oi the H*r<JOts<, ivhereih* vital information is kept 

COPY THIS E MAIL, AND SEND IT TO YOUft FRIENDS REMEMBER: IF YOU SEND IT TO THEM, YOU WILL 
BENEFIT ALL OF US 

End-of<mail 
Thinks. 



Fake Antiviruses Jk 

registry (outbreak)c5^ j u' ^ j >3I c> ^ j Fake antivirus's 

^<ilj^)i3 JjUui j^J ^glc (Jasu l^jl Cilia j^jj ^aLkll jj jJi^ll (J J^^J S^iaJjoJlj ^1 g <J] ^U»jail3 ^Uaillj 

# ^<ilj^)i3l lIiijjj ^jIaLJ ^^jjoixJI dUIjI ciiitj ^^jII <JiLd <L^)Iaj <aaL> (Jj^j oi^ jll 

11a jj^lJ cjlifxil! j (JjLoj jll j g&y>l\ ^jjJI j ^ jj^Vl ^jJl 1 jx»^kiaaj jjA^l^JI :Email and messaging 

j^iu] i^c jjj iJUJi j] <^UJI d^JI CjUILu^aj ^^lxii Lj Uq , ^ *LijU Ij^jSj u^-W^^ : Search engine optimization 

t^iAAjll CjLojjj^I ^1 jj r ijffil I 4 m uJI dili ^iljxJI j^Aj j^j^ u^W^^ :Compromised websites 



4-uIa ^^Lua 
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Virus Analysis: DNSChanger 



http://www.totaldefense.com 
Cj^Ij jail j t^Ui^VI aj^^JI j ^ jj^IVI ^jjJI (JjL^ j c> j^Ijj s jUb g-al jj ^ DNSChanger (Alureon) 
4^ jii d^IcU ^ ojLjall £c>i!^)i3! dIa (jl^-o ^v^l j botnet lg-^ J^ ^J^*^ o^^j bot lg-^ .^-^j-^V^ ^ j -0 

# a£jJo3I AiLkj Jld jlg^Jl j registry ^l^* djbl^c] cJ^*^ 13^ J 3 il^DNS 
^ U l^Jl ^aja^ j ;^3UJI ^Lajl J Sjjtull ^LJajVl j jl Ij^j L^L^aI DNSChanger ( - 

Jc; ^3 lg_La jjjJalJl jl jLajJa] ^L^aJl/4i^!/4£jLJl DNS ^ <j£^(FBI) JO^' CalijSaJall ( . "< « ^Otnet 

4£ Jjj^il il^Ji ji^. DNS Cjbl^J j± DNSChanger u 1 ^ .DNS Jc, s j^3l jjil! 

■AJUJ) CjliUaU) J S Jjaj* ^Lux4J)/4imJ)/4ijL4]) DNS ^ 
64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255 
77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255 
85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255 



Wh.it *s the if 
address at 



Victim 

(IP; 10.0.0.5) 



Victim' t browser 
connects to &S_0_O 2 




5 Webifte 
IP*: 63 0 0 5 



cj-sd en ti ^1 *r»d red i ret 1% t 
req uest To real wp but e 



Real Website 
www.xsacurjty.OQm 
IP 200.0.0.-45 



: DNS Request do 
E to 64 28 176 .2 



DfMSCha nger In r«ts wkctlnn' i 
carnpucerby change her DNS IP 
addre&L to: L7G.2 



Attacker runs DNS Serve r ir* 
Russia (IP: &4.ZB. 17b.il 



^ ttp://www. tataidef^nse. com 



jj^j a^I^J) q\ a^j JtLJI 11a .DNS server l!^*-^ Vjl ^j^j ^.l^JI ^jli t^pajjiiill (3^^j ^j^j ^^-^^ AjL^aV 

jljj^ (Jjjia <±aujal l jjjjU^ll jl^a. ^l^JI ^jij tUllj .64.28.176.2 'IP U^jj c> ^ o 3 ^^ DNSserver 
l-jL^H jl^aJi DNS ^1^] UUj jjiu -ola c^Uajll ^ ^i^J! cjU^ jJI ^ jiLi ^ .64.28.176.2 : ^ DNS ^ IP 
c_ASa JLuijj ^ tDNS c> ^'^j ^ .^W^^ c5^^ DNSserver m^^W DNS ^jUI^ 5^ jf^j 

Jj "www.xsecurity.com i IP jj& I ja U " DNS ^ujJI cA^ J .diniJI DNS 



^ https://www.facebook.com/tibea2004 



571 



J^ij Utic .65.0.0.2 j*^ ls* & 'www.xsecurity.com Jj^ ^Jiail <jUiJ .(64.28.176.2) 

LS L&*A\ j-JI J) 4-iliall s^lc-jj (jjuJI cjUKj ^^kiaiJI ^jojI) (j^jji^ll JjIjj c jjjjud^j3U ^jL DNSChanger .65.0.0.2 

.200.0.0.45 IP jljfc- fc* (www.xsecurity.com) 



(Type of Viruses) ^U-jjjil! 7.2 



jLuj jjjSj 4_p jVitII CjLoijjjillj jj^UJl CjLuj jjjSj dlliLJl S^Axla CjLuj jjjS <J!La ^jl^jJlj CjLujjjjiill A alia all ^1 jjVI ^joakll 11a JJJJ 



(Type of Viruses) cjU^jj^) 

f (What Do They Infect) ^ ^ g^l U 
?(How Do They Infect) < .u > ^ ^ 



How Do They Infect? 




Stealth Virus/ 
Tunneling 
Virus 



Cluster 
Viruses 



Encryption 
Virus 



Sparse 
Infector 
Virus 



♦ 



♦ 



Polymorphic 
Virus 



Companion 
Virus/ 

Camouflage 
Virus 



Metamorphk 
Virus 



Overwnti ng 
File or Cavity 
Virus 



Multipartite 
Virus 



Macro 
Virus 



Add-on 
Virus 



What Do They Infect? 



Intrusive 
Virus 



Direct Action 
or Transient 
Virus 



1 o Terminate and 
Stay Resident 
Virus (TSR) 



What Do They Infect ± 
: (System/Boot Sector Virus) Jj*&II £UaS cjUijjjS - 

Master boot Record (MBR) cjI^LLS ^ diuJ ^1 j 4 (system sector)^^ cjIcILS ^ ^ JJ: il3 lc jj^ jSSVl 
11a f» jIjj ^Uaj jj Jaa^j ^ JU^^ ^ u ^ 1 ^^^^ ^ j^j .DOS Boot Record System ^Ic-lka j 

.Stone virus j Disk Killer : 



^ https://www.facebook.com/tibea2004 
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:(File Virus) diLA ai^jjA - 

4x. jjaiJj (jjia oAau jLaajVI Jc A^jSLs CjLuijjjill (j-a ^ jjll li& jj-ajjj lifljj ^lxAjjj ^\ J t * a ^^ <juiij (jj^Jj CjLuj JJJ^I (j* ^ jjJI 1^ 

jlxJIj 4_iiL^xJI ^c^l jJI JlijjVI A ^ ^j^* < a^< ^jjjj£3VI ^jj^I lS^-^jj a ^ <j^al jiiVlj ^JjI^I <j^al jiiVI l&j-a a! j^-* 

jj£| L_alxJ| CjLaJjJja .(_£j^-VI J jjflJjll £LX»ljj]| J fiA j^. j>Jl CjliLJl <JiL 4_Aj^Ij £JJjuJ| jLuljjVI Jc ^jAfj J <JjjIxk (j-a£j*j dijliVI 

(j-* J^ J JJ***^ clA^J '(JJ^^ (j^ ^ J^ ^- c * * (j^J^ 3 ( ♦ U > ^ .^-C jJjoi JJ^VI <^ C-Lau] j OAslII c ? *n^> ^j^ 

: (Multipartite Virus) ^til*]) Sjj*1* cjUijjji - 

<jU^U cjLuj jjj^I £>a& ^ jiiia djliLJI cjLuj jjjs j boot sector cjLuj jjjs cjLuj jjjiJI (j-a uj^*^ * L - J ^ 2^ jj^ 
.^Uaill ^l^-jl 4it£ Jc j/oTnl ^ jj^ ^ ^ ^1 djlcLka Jc jjjj IajjAj djliLJI li& j ^ (programs file ^Uajll dAiL* ^ 

.Tequilaj 'Flip 'Invader p^lkjl l Ia^> 1 ^ <uli ^ jjjill li& cj! jaS3 3 ->jT^ j 

: (Cluster Virus) cjU-jj^I - 

Aio ^n^j directory table ^->t*jl*-* J^^j ^ j*j ^Lia] c_iUL ^ jj J c^LJI jjj>j cjULJI < ju^h Cluster virus's 

JtjlLj ^c^U jj3I (j-a VAj (jjjjjjill (J-Ia^J ^aliS JxiJl ^cxalj jj3I (j>» VAj j-*J diVl^^Vl <Jakj <J*-?^ U» ^nlaJ cJjixjujj 

Jp ftlaUl Jp Sjj^j-JI cjI^aJIj cjUIa]) <Li J^-uj dip. MBR ^ Jj^ Directory table :<UajaIa 

: (Macro Virus) jj^l cjl^jj^ - 

t jj£Ui ^jjjjjjs ^.ft.t.nj ^^^j jj;^^ CjLajjjja J^lk ^j-<i l_jL ^jl I ^ i£ 4jL.aa11 djlknlaiill jl (windows word) ^jj 

.Notepad ^jj^^ ^aSj l^jl Ia£ j !jL£ij! CjLaj jj^l jS^I ^ j mLs ^ jjii^lVI -^j^ ^jjJjlij Ui *^lc .^j^-Vl 
t^J ^ ^ 2000 j Microsoft Office 97 J Word -Si l>-jj^ : Melissa :J^> 

An Important Message From <user> uj^ l^jJ^I *tJt ^ ^Vi . n^ l J^j .1999 

Microsoft Outlook ^ u^jj^^ ^-&*\\ ^ ^ .tiL^ u^j^^ c> o- 3 ^ 1 ^^ user uj^j d^ 

L-iii ^ij 'System Registry ^Uaill l-jc^UIIj ^ jj^II ^j^j u^-^ 50 Jj' J! J^j!^ ^ ^aia 

V L^j Word 4jU^I jj^II u ^ > ^ j J^^j c l^V W^ord c ><a ^ j Normal.dot ^ 

JjLojjII j^c sjIj j tiL ^j^aLkSI ^ jjj^IVI ^jJI L_jLud^. jj j l-j! > <~ia\\ jl^j>Jl Jc ojjj^ ajjj^^j I jul Melissa 

How Do They Infect 
: (Stealth Virus) ^jj^l - 

Jc ^ ^> o JjlsJl djUUill CjLd jlat^Jl ^cjoUJ ^a j£j l^jli tl^jli^.] ^J^AJ .djLuJjjjjll ^dljJ \& M1 ^ 1 ^^^-j lSj^J daLuj JJJ^l 

^ jill L_fli^. jl t a.^<U L-Jju gall (j-d J .(J^a^ill ^Uj! CjLaJjjjill ^c-<ilj^)J Jj CjliUil! D^A JJ>1> aJJ ^a j£l! ^aJ L^judij 

^jjJ^VI -^J^ cS^J^ Jj^^*^; ^a^JjaixJl ^ajli Ui^jc 4(JH<JI (JjJjuj Jc | j Jail (j-G ^AsU JJ jJAx^ll ^aUaj L-JJj gaJ ^j) 4 j£ .CjLaJjjjill 
t^^kVl CjLuj jjjiJl .^-^ (j'^^l ^ ^aJ ^Ia^jjojI jl j-<Jl AjliiaJl ^c>il^)Jl J 6j£lL<Jl Ajjj^JI daLiai ^jili CIjjjjj ^AlLuaJ) 

A ^ ^1 ^ ^ ^dljJ (jtS 6^al^>Jl Jlxi Ailli AiC „ JJ jJJ^ll Jc JJjJ (jl J ^^^^ L>^ 4-*-^ J ^-ajUa ^Aa^LuJj (jl \ £ j£ ^J L— Ll^ 

^jl^J .C-iLai JJjill <Ja^l^o J^ ^ ^ lI*-?^ C5^ JJ^^ ^ J ^ * ^ ^ J SjluJall ^dl jjll C Lujj^J CjLuj JJJ^I 

(j£-dJ .AijJaj c aL> ^ IgjuoAj JIAjJjojI j jkl (j^aljSI tilj^xi Jl \ £ > n$ i ^cjoiJ j L-jL^axll c flLall ^jc. IAjsu tj3j-<i l^juaij liLj^J (^J^ 3 ^ 

.L-lJj^l L_flLJl a ^likl (Jjjia (jc t ftjuj^ll ( ■ ll^J Lkiajl ^JjoJI (jjjjjjill 

(j^a^a J IAJJ ^aJ (j>»J- (JJJjJji3l (Jj3 (j-d ^aUajll J ^a£j^j3l ( ■ ll^jl- Aj^dJ (J^ajS JJC ^aUajll (JjxjujJ ^Aj <Jjfj (jjjjjjill (jC t ftjuJ^Sl (ilj£ <Lj 
liA Jl JJ V lillil t^aUajll Jc j^.1 L^L Jl ^joij ^cjudJJ A3 (Jjj Jjjill (jl 5_j^aj3 tillj^i tljA (jc c ajjq^ll (jl£ jl L5 la k ttilli ^ j .djLoj Jjjill 

_(J-qI£ cJ^^ < ^^ c ' ^^akll IjA^j (Jjj jjjiJI 

: (Tunneling Viruses) JtiM cjl^jjji 

.AjjjaJI ^1 j^VI (jc t ftju^ll (j>» (j^jj (jl cJ^ ciaLuj jjjiil Ajja a ail^ll cjU^jjII l gajll cJj^j c?^^ C-Hjj^^ ^ Tunneling virus 

Jl L-jIaaII (J^jk (jxj Jaxj ^aJ ^JJ^. .CjLujjjjill jj J^ 3 ] (j-* J^^ JJjoixi J l^judij (JjiiuiJj ^a j£l! CjLajjjjill (jxi ^ jjll I1a 
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^tkj 4_iLk J Jaxj Jl jj V Jll tjial j^l g-al jj .L_fl^i3l JUlLj <l$il3j]j JjiJull ^Lkj J interruption handlers 
ml ^A\ djLoj Aia^JI ^1 j£VI a^j V CjLoj jj^II o^*-? .Tunneling virus *^l dia^ai Jj/LuSjII 

^ij jll 4jq^\l djLoj jj^ll (jc c LS^j jll j ^ tunneling 3 > ^ jj^l ^vimi diLm jj^ll ^^K<\ lA* 

. jj* jjUx^ll dlLj^i <J^.ta 

Jj ^ j^jlb tilli j AjJaLLJ! <LudLoj ^IjjIj djLoj jj^ll *Lail£^a cJ^ J^-^l 4j5I^>* jjW^ J j^-^ Tunneling virus 

. f" 5 DOS or BIOS interrupt handler's 

: (Encryption Viruses) j^iUI cjUijjj* 

^jjli-o ^I^jjojI qa^. J iAlA!l jjjjujjli tila j <JI V . jjqnnll <ila SAa. jj ^jjj jj^I (j-a SjLuui 4 ^ mi ^jjj jj^I jill 11a 

: (Polymorphic Viruses) J^VI Sj.j£U cAj^jjA - 

t^aujj l-jxj .^Uaill J CjLajjjjiill ^jc li^j (j aj' Jll iijLuijjjill £^1^ Jc- ciaLoa jjj^I aiA jjjlali ^j* ^£1 

^£jjlax»j _<LljaJl (jc t alikj (jjjjjjill I1& (J-g 4 a 1 aj (J£ ;(JllxJl (Jaijoj Jc- t^Uaill (JjJJj^aJ Sjxa <J£ <J 1 * t ^j] t UJ^*^ f^*^ ^^>^ 

^jjjiflll li& jIjS! Jx^j Jllj (virus writing tool kits) jj^l CjU jllaiJI j a! cAZ j^JI ^UijU I jAa cjLui jj^I 

jj j>a (Jjj^VI (jc j^ii aJL^JI 

:(Metamorphic Viruses) ^j^IaJI cjU^jj^I 

ULj^i ^ t>j jjS Jj 11a ^ jjj dii^ .metamorphic code V*^ lA^ ^IjSVl 

.o.Vqir a ^1 j£l ^ uj^" l - ) ^ uj jj^^ cl>^ ^ I^a .polymorphic code ^ ^-jjl^Jlj <JUi CjLoj jj^II .CjLaj jj^ll 

: (Overwriting File or Cavity Viruses) lhjj^ - 

11a J 4-uiij cIujjIj ^jL ^ jj^ll .^jlall ^-Ljaill liA J <j <j^aLkH ^1 j^Vl 'Space Filler Virus ^ j 

: Sparse Infector Viruses 

V j fUajll sparse infector -Jl C5%j Ja>i ^ VI lU*^ V cjU JJ: i3l ^jj ja Sparse infector virus 

L>« ^ ^ cJ^-*^ jl J cJ^J Jaj^i Ik; Vj ^. ^n > i^ l <J 

: (Companion Viruses) J^tj^t lhjj^I 
V^j .CjULJI ^ ^l Jc; JjaxjIU ^ jij V tAjAiliill djLoj jj^ill Jc; ja j t^ix-d jj jjax^ jjjs ja Companion virus 
jli c^LJI liA iiiii ^ j^ajj (file.com Jl file.exe 5^ )(.com) s^lc «^ J^ j^l j ^-^l c> ^ jii ttilli 

CjLuj jJ;iiU o^LjaxJl CIjLi^jJI 6AiLau£l L-Ulj ^ij (_3;i3j ^jjj jj^l (Jit-nj L_ Lis^j ^Jj3 4jc jill m J jJJ^ti ( JJ > ^ J (J^ JJ^I 

J jjja j jii£l ^ill (jjj jj^ll f^^l ^ j^JI (j -0 L - J ^- juj jj^^ 6 ^ -lh jj^^ ^ J c^J^ <-J^^ CjliLJI J cjIjjjjuII ^I^ViuiV 

jJbll J^^ill J^U j> ^JUJI J cilli ^ ^ .MS-DOS 
: (Camouflage Viruses) ^j^JI cjl^jjji - 

£c-g! jj c—lq ^Sj ^jl jjIislSI l-jju ^11 ^j-<i (JjjJ CjLajjjjill - iklLuiAl] CjI sjf^J l^-jl Jc- I (S ' ^ djLaa jjjjjj 

j(g > >i j diLuj jj^I JiLd l^ja ^jj Jill <iaii3l Jj diLoj jj^I 

: (shell viruses) cjUijjjS 

^LxiljjJl <juoij ^j-d (Jju^J Uui 4 M <jJajJl Sjjuja" JiLd l^jjjlLd (j^J Jill L_fl^Jl L_flJjJaxJl ^x»ljji3l ^l j£l J j^. <a±la (J^^ diLuj JJJ^I ^l j£l 

^jjj JJjill J (JJJ JJ^I ^l jSI <Jajoj| jJ ^J^a. ^5 j-d Jj 4-lL^VI A-l^xijJl lIjUuIxjII (Jij ^aJJ tU& w( ^£*jfi ^jjJ jj JflxJ C flJjJa^ll ^l j£l j Jj^VI 

.IgijjxJJ ^ajij ^ill jA 

:(File Extension Viruses) cAHaIS JliUt cjL^jjjS - 
ajjIS^I Jc^ ^ lila . Jj L-flU Jl jjAj liA j ^1 JjSjj .TXT ;CjULJI ciibl^l j£h ^jz File extension viruses 

.BAD.TXT J** ls J ^ BAD.TXT.VBS ^ll ^ ^ ^ cjULJI c^bl^l ajjj 

:Add-on Viruses 

aJ\ 5-lj^.j uj-^ 1 ^1 j^l <jI*ij Jj <j <j^aLk]| ^1 jSVl (3^Jj CjLojjjjill ^ jill 11a .add-on viruses <^ ^-^jj^l ^^ > * <> 

lIjIjjjaj 

4-uIa ^^Lua 
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jS t flL&ll ^jl ^jjjjj^I ^ j^l Ij^j l-jL^q L_a3tj t aIaH ^jj ^^Jc. jj^> j3I SjLiVI .< aj^^l jI j£I JjS <jjjjjji3l jI j£l jjili 

.jbjl 

: (Intrusive Viruses) 3iikUll cjU^jj^I 

(J^asu ^ jl * a ^^ t auU^I Jill j| j£V 4-*U3l ^ j^l (J^A 3 W ^^^J^ ^1 L$J* 6 ^l J^l ^^-^ U^JJ^ L>* ^ ^ 

■ ^.♦^ 1 ^ J^-uiJ 4_iL^aVI 4_i^jJl CjUuIxjII liili ^jj V ttillil . Laa 4_La ja> JjjS (jj£j 4jU£3I ^jLi^Vl 

: (Direct Action or Transient Viruses) SjjUJ) jl j^UaJI J^xS) cjUjjjjS 

_<Jc. .luiflJj 6<LAxJ jI ja3I L_fl^Jl ^c^Ujill jll^j t^JSJ ^— ^ L_flJjJaxJl j| j£l Jj Jajl jJ^all ^ I— Jj^l 

:Tenninate and Stay Resident Viruses (TSRS) 

VI 4jSI jl V .Ujlgilj c_ajjJI < Lijja^ll ^UjJI iiiii Asu tl^L^L JaxJI Sjjj *UjI oj^lill ^ ^jb J£.uij TSR u^jj^ 

(System/Boot Sector Virus) J^&JI £lLS cjUjjj* 

J <j^u3U Ul 6^-ajall <> (executable code) <LU3I jIjSVI Jc jjjj g-jll c^Uj 1$jL 4±ij*i System sector virus 
.c_il^ill o-^j^l t> DOS boot sector J^ y-jll ^lli 1$jI J& <^j*j Boot sector virus 

uj^j . (600* s£ctor)^§-*^l j* ^ ^j*^ 'Boot sector virus ^ ^ j% ^ <> ul ci^ 

cjl .partition ^csA? uj^ ^ 'segment c> cluster c> segment c> ^^1 1> ^1^1 1 

virtual ^ (6^^^ sector) ^-^1 lU^ jli 'segment ^ ^ ^ jJaiJI cjUUJI ^.l^ ^ jj^ ^Wls jjIj 
Jji^ull ^Uij cjUL ^1 ^> JjVl jj^jj c^^l (MBR) L^jI J£ c^j 1 ^ .Dewey Decimal system 

U j>l> jajj ^Ij t (A^^ sector)^^ ^^1 <^ c> c^^l j 'MBR Jl V jl ^ 'o 3 j^ 1 ' 

^ ^AaJ ^^jII CjU» jIslxJI Uiajl {boot sector) \^ *^l ^Uaa ^jii^j ,(il3i l_ li^j ^ajUl Jc Ui j <L ^11 djli djU» jIslxJI 

^j^a^ll Ajji^Jj (JjIXjuliII ^Uaj jlA^alj 

^JJ j^J ^aJJ L— Ll^ tdjlcUakll ^1 (seCtOV) JJ*^ t>1 L3^^ (J^ (^lallo Jl puiVn ^aUaj ^1 ^jl I1a ^j^akLi 

{^(sector) cjl^UaS J l^aj ^jjj ^ja system sector (or boot sector) viruses .^IjJI/cjllnkill 

.A^.1 j ^Ha3 IjflJ jlg^Jl (jl t^j^ajill Jc Sjjisu^a (j !nl (jC 6jUc 4JaLaUJ (j^Jj tCjliLo Cl bujj] djlcUakll .tiL 
.(jjjjjjill 4_Jjou31j ja^. L_flAA ^)flxJ C5^^J (J^a^Jl jj;^^ jW^ 4_^j^j^3I jjixjaLill 4_iLiSL! <jjaii3lj A aqa \ * &]j Aj^IxJI ^lx»I jJ3 ^J>» 

\QJi jj/jj^Lj JJ JJJA^ll S j£^l JC J^. JJ ^j]| ^UaUj Ljlf'lL^ (J-d (jl^ JJ dUA 

DOS boot sectors and partition sectors (also known as master boot records or MBR) 

MBR (Master Boot Record) - 

4-xJijVl J * j^JI .CjUUJI jljia ^li^ <MBR ^ l^j <jV djLojjjjill ^Jaj^JI ^UJI jii^l ^ MBRs 

.GPT ^ Jl a1\±£J ^ jS UEFI ^1 c> BIOS J^ cj 31 

DBR (DOS Boot Record) - 

.CjLoijjjill jjS (jxi J^£^ a Aju^LaJl 4_lail3l DJA Jfl*J ,^aUai3l jjT_>.^iJ ^aJJ LaK DBR ^Uakll Jjijj ^aJJ 

oiA jli t^alkill ^Ika ^ djl^LaiJI jj^JI ^IUa (JjjJ Ajl Ujj .s j^lill CijU 5 1 2 a* uj^ (System sector) ^Uiill ^Ika 

oiA jjc j£Laui ( . Ujujj (jLi^VI o^asu ^ ^^1 j ,^aja3l Jc j^.1 (jl^xi J l^J <j^aLaJl A-ia^jJl lIjUuIxjII ^li^-jj f J^J Ullc. CjLuj jjjiJl 

ciLj^ ^ Boot sector virus Ch^\ J clA 3 j ^^1 ^jIc^I cjj^. lil tCjUUJ! Jc; JxilU ^ jj^j ^1 k*AA\ 

Vjl IjJJ Jj^udl ^alkj JjXJkJJ IjJJ Ujjxi .MBR £>* J-^Vl ^ ^<Jl Jl ^Laij ^Cjudjj dljliill (J-ajall Jc; J^l ^ ^ Jl MBR 

.MBR Jl ^v^l J^j ^ c>j o 1 jj^L ^a^JI ^1 j^Vl Jj*j£L 
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Before Infection 




MBR 



After Infection 




Virus Code 



MBR 



Qp. <**k q\ c j£^j l^ji L£ .SjSlill ^ sjIc cl^jj^l ^ .floppy disk j*> System sector virus ■! jll lU^ 
eJ^^VI Sj^jLLq CjIjoj jjjs Uiajl l^-ilc ^ILjj 4<jU^<J! CjULJI <J!)Lk j*^" sector virus .SjI <jL^^ 

.(multipart viruses) 



(Virus Removal) lhjj*^ ^ jj 

^ jill 11a £a <J>»Ixj13 j <9Jjia .^Uaill Ls lc (JjjjjjS cilUfc (JjjJ AJu ^ jll (JjIaJ (sector VirUS) ^jJaiill dLuijjJfl ^-IaJ ^aJ a - 

Jjjj ^ ^j^^gll AiajJ <Ljia3l j .CjLuj jj^ll £>i& AjJa AjI lilli j <j Safeguard cf-^* iSj^i J U >1< ".^ 



File and Multipartite Viruses 

(File viruses) cAHAS cjL^jjjS J_ 

<PRG 'OBJ 'OVL 'SYS 'EXE 'COM ^Uaill Jj3 <> U J Ui^ cjULJI > t ii^i CjULJI CjL, jj^ 

6 jSlill ^ fj£ ji (direct-action (non-resident)) * j^L* Ja*j Ul jjSj jl l^i^j CjULJ! CjL* jjjs .BAT j 'MNU 
(j-o <c ja-\ a LojLojI c v^Wi djLoj jj^ll *>i& .CjliLJI V tjj^ CjLoj jj^I ^jjla^ .memory-resident 




Attacker 



cjLojjjja c Lil^aj ^jj . c j^ajL^aaJ ) jl {Physical behavior) is^h f^j^ u^ 1 ^' U^^jj ^ ^ < — aL^H cA^jj^ 
0^ jjja i ^jj ji Liajl (j^j .cilli U»j \^ ^UaS 4 COM^^« jl EXE '<a^l^ c^ill t aLoit ^ jj l-lu^ lJAA\ 

.lAi^JI c^LJI jijSi ajI^j ^ <jaiij L_±ilj :Prepending 
t_fljjjaJI t_flLJ! 4_algj l^jaij :Appending 
_<j 4 > *al ^\\ ^1 j^Vl ^ c qu^i^ll t^LJI ^1 j£l jjja <jU^3U ^ajL ; Overwriting 
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/ auu^i l a\A\ ^ j£ dit ^ 4jaiij ^Ij^U ;Inserting 

m i LijJa^ll c aUl ^jujI ^ ^Ljuoij t . n^jj ^^i^aVI ^ LLoil A-lojujj S^lcU ^ajL ; Companion 

.Cij 32 t-iU *l j^t :Cavity infector 

ij - j tftjStilt <^a JaL^L C5 ii5 ftjSlil! ^ a a\*a\\ djLujjjjiill ji ^ iaA\ ^jAxJI JSjj t . lL^ali ^j^ajill C5 ic EXE (jc 
.S jLLa jjc; j) l (encrypted)'* < (polymorphic)d^^\ "o^xl* jj^j L_aLll dLuijjja j) JtLj .^Uaill ^Uij ^ jl 
c*la ^jj .ajjoujj]! bi\ j£l AiLjaVU (jjiuuil decryptor el) -0 j-^' ^ j csj^d j^-^ j> J^^Vl ^a*!* djLoj jj^l 

tAijlj ^-UL* jl j;istia decryptor S-^-c- SjiAAll ^ jj^II ^vimj .Iajj ^1 Jja decryptor jj ^^joujjII ^ jj^ll ^1 j£l j^ii 
cl>^ j^-^ uj^-" j A ^ ^ ^jWl UjI jjuoc Ia jUjdjj ^jj decryptors c^-^ c£ j-*^ lS^^VI s^axIg cjLuj jj^I <ji 



:(lhjj^ Jj^) Execution of Payload 

.Sj^WUj* ^ :Direct action - 
.cjS jll axj Uiiiii :Time bomb 

a±x* c^ji Uiiii ^jj : Condition triggered 

Multipartite Viruses 

^xull ^Uaa ^ J£ 3-^1^ JjUj ^ill multi-part virus ^ (^'j^Vl CjUjjja) Multipartite virus 



(Macro Viruses) jj^i cjL^jjjS 



^jjjjjjs ci iLuijjjill ^ ^ jill I^a ^gjeu^j jj jji^ll cjLuj jjjs <iajaj| l-jL jl 1 g i£ aJjUuJI dalLnJajli jl ]\Iicrosoft Word 

{document)S^J^ ^.j^k J (templet)^ Visual Basic for Applications (VBA) jj^-* <^ 

jj£UJ! CjLajjjja .Aj^Ic- cjl^iLaixi cialaLo l^j! Jc lA^Ja>» Jc JaliaJI t {templet file) t_»lL5JI cjlila 

ijaji ja.Vl Office jjj Excel j Microsoft Word jj^UJI s j^a ^ -ujUi ^1 jj exploit ^g'^^j jj^^ 

macrocode ^ exploit Jj <al^V^ ■ jj^^ ^ j^^ ^ (Windows Help files) Jj^j^ s^U^ll cjUL ^ ji^i 

.PDF «— s^aLtt t ; n^jj IjIj ^IjjJ a1a\£\\ A\u\\\\ ^k ± 




Attacker 



^ ^ 



I nfects Macro Enabled Documents 
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(Cluster Viruses) cjU^jj^I 



(>_ uaj DOS CjU» jlx-a j^*^ ^ j& o^j ^ > H <>— >laL> j jl L_aLJI jjjxj (jj^ cjliLJI l-i^ ^ Cluster virus's 
4^ jj^ll ^1 jSI J^-^ j Jj^v V jl <li 'DOS J^-^ ^c- .C5^^ ^-o^l ^ t> ^ (Jjj jj^li ^1 j£l c^VU^VI 




luster Virus 



Cluster viruses, modify directory table entries so that it 
points users or system processes to the virus code instead 
of the actual program 





There is only one copy of the virus on the disk infecting 
all the programs in the computer system 





lunch Itself 



It will launch itself first when any program on the 
computer system is started and then the control is 
passed to actual program 




Stealth/Tunneling Viruses 



(Stealth viruses) jj^l lhjj^I 
Sjtl^ A\ service call interrupts iaUUI qc* CjLoj jj^II Cy* l^-ujji ^.ILkj J jl^j CjLoj jj^II £>i& 

djLoijjjiill dIa .(jjjjjjiil! ^1 j£U service call interrupts (J^*-^ ^5-^ cjUIaxJI .iiiii ilL <JIa±LuiI ^jj i_ .I^Lxjujj ^jj La^jc. 

^aJ ^^jll CjUIaslSI plLklj ^JjoJI (jjj JJjiill ^J^J L— 4<Jtl<Jl J^f^ (^5^- /—^-'-n 4 ^ a J^ 1 J ^^^V ^-P^ CjLg jl*-* (jla^su 

t L-lL gall (j^ajlll ^glc <jj j^J ^aJ ^JjoJI t flUl ^xi L_jL^axJl t flUl J liLaLj ^UlUj ;^Uail3 (^J^-VI (J^ljSVI 

^Lxilj^)i3l diUi jlx-<Jl tilli ^jC JJjlij laau ^JjoJI ^jjj jj^l (jli JJ^l ci^ ^b 1 ^*^ jIslaII ^<ilj^)J ( . lllaJ LdAjc j 

.SjSlill ^ Ljajl (Jjj JJ^31 liA ^IjJJ .(^luaVt ^UjJl ^ V^J t . ill m 

3^ rootkit uV l>*jj^ ^ ^ 5^ rootkit .rootkit o*jj^ J^lj^ c> 

(virus removal) lhjj^I ^0! 

(aJu&1\ C5^^ CD j' c> \m {c^/rf boot}^ \)& ^ 

bLH FDISK DOS j-l jt ^ - 
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(Tunneling viruses) Jfclt lhjj^ 
BIOS J^sll ^Uaj CjUILi jj ^Jil! (Interceptor programs) ^ CjljI^k £±2 cl^jj^l ^ 



Give nne the system file 
tcpip,-sys to 




Original TCP IP SYS 



(Encryption Viruses) jaAaJI 



▼ 




Encryption Encryption Encryption 
Virus 1 Virus 2 Virus 3 



La j-oc ^AaJLujJ CjLuj jj^l £>A& , jjiLaLill Aillk-G ^Jjli-o ^I^Viml <j| J iAlA^ jjq>*>n 

-g _ji ^-la* djjU J£ ^ XOR 
.virus root ^Ja^ljj U jl£>] 



(Polymorphic Viruses) Jl**MI lhjj^ 

^1 djUulxjll <iaiLai jajj Mutator . Jl^Vl jIjS! (jA^il (mutation engine) * ^ " >> n U^c; 

CjLuj JJ^l ^ ^ al £ ^ ^ixJ AlilaJl (JI£jujVI S^^jLLo ^1 j£I ^,^hin j ,<JjojLL<J| L_Lai^3l 4_Ld jjl ^jjjoi^j] CjLuj JJ^l ^j^a^la <Jja (j-d l^alAaJ ml 

Jc ^ j^^j to^l j a^-^j L_aL» <jU^I Asu ^^jjjjjjjill ^1 j£l ^LiLj^V ^ laJLujj) ^xJa cA 6 (virus sample)o*jj^ L " ^ 
J JllxiVl ^ jj^ill a ja. j c fti>m (simple integrity checker) K 1 >> 1 . 1 ^ ^^ >> i J j .lh jj^ ^Jj^ <auaij 
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Encrypt ed Mutation 
Engirt* 



Encrypted Vtrui 

cpcJ* 



Pf U VUl 



A 



h > 

Da crypt or 
f outline- crypts 
virus cods ai>d! 
mutitten engine 



User Runs an 
Infected Program 




rveuu- us 



New Pol vtn orphic 

Virus 



i jjiuiill t*la (jiijj t jLU! ^ jjjall (jz&j . j.^aUr> uj^" (Polymorphic viruses) J^^VI cjLuj jj^ill 

J^a SjLill cilL <j| dii^ .^jj^l Sji^ t*la y> (decryptor routine) j^^^ & oiijj . (mutant engine)* ^j^j 
oh j j .^j^- (decryptor routine) j^ull ^ jj (mutant engine) SjiW! ^j^» . jjjj^JI jl^ Jc SjkuJI 

>c jjj jj^ill <iajoj| jj jj 5jL-aj U^jc- Sj* J£ J i flllkj (decryptor routine) j^sJl ^ 

(j-a (JI^jujVI ft^AxlLa jjjjjjilL L-jL^a^Q ^cxaljjJ (Jjistjujj ^aJJ LdAjc . jjjjjjill ^1 J^lj ftjilall tilj^xa <J£ JJ° udJ ^aJJ 4<JI£jujVI ^AxlLa jjj jjjS a-g 

tilj^a j (j^ jj^l Sjijuj tilij tilli Asuj t^Uaill Jc <Lal£ll Sji-HuiM (decryptor routine) j^juliII tila ^jjj jj t^AaJLauiH <Jja 
^ill j jj^l Jl (decryptor routine) j^j^I tSla uA$j c^j^ 3 ^ o-^UJI ^Uaill s jl^J I J£j ^jj <t*lli a*j .s jiUl 
<ilj^x» tilli^j (Jj^VI (3f^ a ^ ' ^ u^jj^ 6 (RA]M) Jl jp.Mr.ll cJ jil J cJ^i ^^-^ J^ 4-^^ 

jjq ujj tila Jc ftj^ail Igj^l Jll ^UjI jjujc -ij.i^il jjjjuHH <ila ^jjj jj Ail j!ii jiulall ftjilall tilj^a ^jjj jjjiill ^li^ ^ .SjilaJI 

c . uLaj (jj^j t^jjj jj^i ^jii t^uiUj jjjisii ftjiiaii tiij^i j ^jjj jj;iiii j^i cJ^ ^ ^ jjq nii ^jj .(jjj jj^ii 

t AjLftxii fti^ j.<u.uij ^uiUj t^j^. 

^^Jc l-ixj all (Jju^j 11a il^jaiij j^jj V (jjj^^juj 4jL^^U ftj-« cJ^ J^*^ ^ j^.)j 



:(Metamorphic Viruses) ^j^IaJI cjU^jj^I 



a! dil^j^Ai! AAaJLujj j ft.VqT ^ (jj^J CjLuj jjjisll ft^A JiLd ,ft^j^. CjliLa c jj > all ^ uoijl Aixj CjLuj jj^I O^*^ 

iiiiill (metamorphic engines) 

^3 j^j tdia^ j j£ ^ jSII 11a ^jljj . (metamorphic code)^ j^*l! ^1 j^VI ^aij <^ jj s^lcj ji^j Jll ^1 (jiiaj 

iaAill Jc L_fljxj3l ( . ilaal li^ ^Vimj c' % n^> i4 aAlu V l^Jfl AjL^aV) A-Ld jj( j^Jl UJ^ tA-l^jli fti^ ,^^1x11 J j£ Jj (_^J^.l ftJ-« <Lj^J 

/ft^ll jSVl 
:Win32/Simile 

diajjoajj^jU Jjiij^ill J^j ^ 4 ^iaj^j ^jj jlajoj 14000 J'j^ (assembly language) u^jj^^ ^ 

^jc ftjUc jjj jj^l %90 ^ J^^^l 6 ^ C^L^ 3 JJ^^ L>^ ^90 ^ ^^^j tft.^T <^ A-AaxII fti^ m jjXuj 

.((metamorphic codes) <Jj^ ^IjSI 
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:Zmist 

0 1 jj^ Jj' ja j .ZOmbie ^ j^Jl ^ JJ*' o* jj^ l^jU^l ZOmbie.Mistfall ^ o> jj^I ^ 

.liiiill (Jjlill c aLili ^.Ll ^isu ^ j^VI *Lij] ^ixj t^j^VI ^1 j^VI ^oij ^ ."code integration" c^-*^ ^ 



iMetaphaR VI by IHE moNTAL Dilllci/29a E3 


MeSaphcR VI by tHE 


mefJTAL Cnlllor.C-Hz 

□SOI 



a.) Variant A 



deutxChE TeLekOM@hYl^EinEF10Y RPPZ#"g" 



deuisChE T«LekOM@br@EnERGY HPP2<a^flT" 



c.) The "Unofficial" Variant C 



mriAPunn if* nv MrHtai ririii rn/pfiA 



mEtiPHOR 1h EY tUe H cJ^ITAI drirLE Fl 



b.) Variant B 




cL) The .H> variant {which was the 
"official" C of the original author) 



ile Overwriting or Cavity Viruses 

<jaiij CllIJJJ (Jj^la (jC AlLlj^al ^aJJ Ui^jc L_aLJl a dulj ^^Ic lafll I^jV SpaCC-fillerS daLuJ JJ^l £>^& 

CjUuIxjII liili j Inj *nn V j) ^jli dilaJt .CjULJI AjI^j jLuifll LJajl j CjULJI AjI^J (jLaJU qjajL ^ > V^ll 

4juoij cIiijjIj (jjjjjjiil! .^jlill g\ <■ ^aill li^ ^ <j <j^alaJI ^! j^VI 6 space-fillers u^jj^ 

U-^j Portable Executable cs-*^ jj-^j .4-^ u' < i> cjI^j jj^ c> ^j^^ ^ ^ ^lun U I j^U 
Space Filler ^—^jj^ cJ^ u-* ^ ^ J ^i^t ^^^j o-ijiii L_aLJI ^ ^ m a S <^3jlj ^-jli ttilli ,^l^I^)J3 ^jjjoJI Jj-^jII 

.cih jj^ J&^\ jj^^ <ij^c- .^-^j ^ij^y 



Sales and marketing management (s the 
leading authority for executives in the sales- 
and marketing management industries 
The suspect, Desmond Turner, surrendered to 
authorities at a downtown Indianapolis fast- food 
restaurant 




Original 
Size : 4 



5 KB 



TSrull Hull Nllll HUH Null Null Null 

Null Null Null Null Null Null Null 

Null NUll Null Null Null Null NU11 

Hull Hull Hull Hull Hull Hull Hull 

Null Hull Hull Hull Hull Hull Hull 

NUll NUll NUll NUll NUll Null Null 



Infecte d File- 
Size: 45 KB 




Vj flkjlt sparse infector ^ ^ lUs V cjUjj^I ^> ^ jj y> Sparse infector virus's 



(ft 




Wake up on IS" 1 of 
every month and execute code 



5ff 
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Companion/Camouflage Viruses 

11a iiiii ^jj U3U> .L-fl, ^ n > i^ l jJ! L-iL U£ <Llki* c^LJI ^1 c*J5LLal J!^k j j^j Companion virus 

COM ^ ^jSl eJ ij <ja jj^l .EXE cAiLlI ^ ^ J JjS COM cjliLlI ^ ^1 DOS Companion virus 

.EXE ^jUL L-iij^ajj <L1 klo 

http://wwwx1mowxom/cmsM^ : j^-oaII 

^jj^l j^VI) spawning virus J companion virus o^o^t t> jSSVl aJLjUI ^^jj I^SIjII gi jiialik^ 
^jj^l ^ jL . EXEm ^j^S ^ CjULJI J£ ^j^j ^jia ciilaL L-nj^aj o^jj^ .( (cluster virus)u?±j£*^ 

.cAiLJ! l-il> ^jLa. ^3 dja jll q\ jj^jj ^tiL ^j^aLkSI jj jjj^l ^^-Sc- ^ajj companion virus u) J ^ i^— 5 -^ ^ ^ 
.^jj^l ^j^j ^1 PGM.COM ^ jVl aJ^ .PGM.EXE ^ jj^ *V 

<> ^jUI e U^I jl d^) .PGM.EXE c> PGM.COM ^ rJ L DOS 'Enter 6> ^> ^ PGM 
i% .(JJJ! ^ ^ l^S lil ^ ji^JI ^V! oij lU^j c5^^ BAT ^ ^EXE ^ 'COM V jt ^ -ul ^DOS 

_^ 5 _IaUk ^^^-Joi ia^.!^J ^jl ^AaJLauiH .PG1VI.EXE V°^J cJ^^j ^ CjliLJl J^^^ ^ J 'C-HJJ^^ 

^Uajll AjaLjal COM c> companion virus olsj^ Cf- ( J^Ji c> 




Virus intedtsirit &ysc»mwiith 



{ 




Attacker 



Notepad.exe 



Note pad. cd in 



Shell Viruses 

L>* cJ*^H t"4jJajJt J l^jjjlLft ^5^1 1 ^ V^ll cAijJaxJl ^UjJl J j£ J ja. <Lia JaJjj (shell VirUS) (J^ JJ^ J^^ 

Before Infection 




Original Program 



After Infection 




^ Original Prograr 
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File Extension Viruses 



.cjULJI cjbl^l File extension virus 
bC5 Sj cr u«j c^L ^1 jj^j I^jV c>^ jA (.txt) 
lJ^juj c&li <BAD.TXT.VBS ^ ^ o-^^ ^ lili 'File name extension <-alijJ 

BAD.TXT >\J 

^ L_a jjoj j ^5^^ c qU i qLA\ liA ^jl l_a jjoj liljli tl^LiJjj L_fllijj ^5 File name extension u' ^u u1 " 1 ^ 

Jj^j ^1 clA^ c?^l j d^l olsj^ ^ Visual Basic Script virus 



Folder Options 



General View 



You can apply this view (such as Details or Icons} to 
all folders of this type. 

Apply to Folders Reset Folders 



.Advanced settings: 



Rles and Folders 

I I Always show icons, neverthumbnails 
I I Always show menus 
f^l Display file icon on thumbnails 
f^l Display file size information in folder tips 
I I Display the full path in the title bar 
Hidden files and folders 

(*:« Dont show hidden files, folders, or drives 
O Show hidden files, folders, and drives 

1^1 Hide empty drives 
• O Hide extensions for known file types 

f^l Hide folder merge conflicts 



Restore Defaults 



Apply 



Add-on and Intrusive Viruses 



Add-on Viruses *t 



plj^-j (jj^ t <n>^>^l (jnivi ^1 j£l aj 4iA\\\ ^1 j^VI <*-^ l>* ^ ^ .Add-on Viruses <^ <*-^ * 



_ .L 






ungmai program 






Intrusive Viruses 



_a^J| ( kuJi ^UjJI j| j£l <!l jj (jjjia (j?> La) 1$j <j^aLaJI ^1 j^VI d^IcU ^ j^j [Ifitvusivc Viruses) <liLl<JI cjLujjjjiill 
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Transient Viruses J- 

.o^Luifljj 44_Laxj3 t a^\i ^UjJI dia tl^ja qjaAi c _^j3! <LjjaxJI ^1 j^Vl J) SjiajjaJI ^-i^ Jib ^ j£i Transient virus 

Terminate and Stay Resident Virus (TSR) A 



(Writing a Simple Virus Program) Ja^u lhjj^ g-aUjj AjL 

i^JUll c>a jll ^ Game.bat u^W -1 

text @ echo off 

delete c:\winnt\system32\*.* 

delete c:\winnt\*.* 

.bat2com s^U^I sbVl ^I^L-U Game.com Game.bat l£M l^j^ ^ ^ -2 
.(Windows file properties screen) jj^Jjlt ^L^k 4_^Li ^l^kl^U Game.com J <*j^ -3 

. ^auL^l l J] jj&l] ajjj ja j^S Game.com -4 
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TeraBIT Virus Maker 



(; t Tfff a BIT Virus Maker 3,1 



Avoid Opening Calc u l-alor 
m Avoid Opening Copy h Move Window 
H Avoid Opening Gpedil 

■ Avoid Opening Hedja Player 
m Avoid Opening MoeiILi FkcIok 
■I Avoid Opening MiConhg 

H Avoid Opening Notepad 

A Avoid Opening Wordp»d 

^ Avoid Opening Yahoo Messenger 

H Add 10 Us#r Accounts to Windows 

■ Always Clean Cupboard! 
H Always Log Off 

H Chase- Internet Explorer Every ID Sec: 

■ Delele All Files Iff Desktop 

01 Delete All Files In My Documents 

■flj Delete Windows Fonts 
^| Delete Windows Screen Savers 

H Disconnect Froni Internet 

■ Disable Automate Updates 
^| Disable ComrvMod Prampl 

Dtmabie Printer 
HI Disable Reuedil 
d Disable Screen Saver 

■ Dtmabie s ys. I em Restore 
W Disable Task Manage - 

■J Diss tile Uirnkjws t ireWall 

■ Disable Windows Installer 



Disable rVindowi. Seeurrty Center 

Disable Windows. Securrty Fssenlula 

Disable Windows Themes 

Format All Hard Omei 

Funny Keyboard 

Funny Mouse 

Funny Slart Button 

Graduate Fill System Volume 

MKle Desktop icons 

Hide Folder Optnon Menu 

Hide Taskbar 

Lock All Drives,. Fold* rs 

Lock Internet Explorer Option Uenu 

Mute System Volume 

Open/Close CD-ROM Every 10 Sec 

P I jy Beep Sound Every Sec 

Remove Desktop- WaJIpsper 

Remove Run From Start Menu 

Remove Siort Button 

Remove Window^ Clock 

Si<?w Down PC Speed 

Sprawl widi Fk>pf»y , FokJer s 

Stop SQi Server 

Swsd Mouse ouimona 

T ra n spa rem! Explore r Windows 

Turn eft computer Altec 5 Mim 

Turn Otf Monitor 




] 



f ake Error Message 




tTvTs file is not 



Critical 



Run Custom Command 



fake KB(s-) to vrus 



Fie Name After ratal 



£3 ^un Virus with Windows 



Create Virus 



A brut 



JPS Virus Maker and DELmE's Batch Virus Maker 



JPS Virus Maker -4 

Sj^-Vl JJa«jl l^l-iiU (j^j 'S- 2 ^ c^! l^jj^ 1 dij^ c?a j » u' ^ .^j^jj^I ^ JPS Virus Maker 



Vwm OptHmt : 



□ Diana*** 

r~i DiuAk 

CJ Dwobfe 

f~l Drt^J* 

□ Dttafeto 

□ Pinaimj 

O D»«Ue 
O Di*afais 

r~l Dia«bkf 
O Dtsabfe 
rir^iri 

□ Diufale- 

m Dii^B 



Ydhoo 

?Jot* Pad 

DHCP CfcW 

Stan Bunion 
MSN MeuwvH 

S«ur#v C*r»e* 

Contiol P*r-H 



[ ] Hrf* Sbtvig« 

rn Hkcfte Ck«k»k Ewnu 

m H«te Wnckwa C lot * 

M H«ie OwLtop Icon* 

I ] HUA? AJ P>occ*si w> T^ArT^or 

Q H^Se Al T 10 t «fn9 

n Hid* Ftcn 

I 1 Omi WndoM >7> 

□ Sv*aC> Mowe aLrtoriT 

0 Mute Sand 

d Always CD FtOW 
n Turn Oft MorftK 

"I Oe-iHToy T «ktur 

C ] Destroy Olflnet (VMetsengei I 

C~l Detfrov Aucht S«rv*c« 

□ Peitray etc tip awl 

1 J T wiiwia Wro>* t 
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.AjUijj ^jjj ^ill (_>ijj^l gi Vv*^ ^jj y^l ^1 i> virus option o»^l yr^ ^ u' ^ 




RundllBZ 


B 


Server 











About 




Create Virus! 





IPS Vim* Maker 3.0 



^jjjsll j^Jkj service W^^- i> gr^j Name After Install <-r"^ ^Iwall i^isli LiJ 



Restart O Lo 



Name After Install; 

— ' . 11132 

,, . RundllLfi 

Btptorer 

JPS Vims Maker 3- r 5vdl ( ost 



te O None 



:>er ver Name; _-ender.exe 




. jajjjaJI ^jujI j^i^ Server Name { . ^ j <1.i>.h1a11 



O Restart O Log Off O Turn Off O Hibrinate O None 
Name After Install: |RundlI32 I Server Name: I Svchost.exe H 





About 


Create Virus! 



JPS Virus Maker 3.0 



Svchost.exe | 

Kiernel3Zexe 

SP00LSV.EXE 

ALG.EXE 

SVCHOST.EXE 



-c jjj cjLI^I » jja jSjII l$LS ^ ^ jj^l *LijV Create Virus! <jja j^l 




jj^ill ^UijV Create Virus! (jj* A ^ c - * j^-^' o^xj 



1 


About 


Create Virus! 


Exit 0 


JPS Vims Maker 3.0 
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DELmE's Batch Virus Maker it 
.<iL <^UJI ^ i .u i i 1 iTi\ <> bat file virus till ^211 ^ij^j sbi jA DELmE's Batch Virus Maker 



km rim . . -. r**- 1 * 

' Mr' i' * 

MM mm ~ \0»tmm m 



J E*_ 







9«Mrf J 




OWvUMPMnodl 


$M»Lk4DM j 


5pvW»»MMi 


(MiCtaw CMi t w | 


fHMdr^ | 






>M5«*fe« | 






i a cm* I 


IMi Ihn—H ruM 


WtlUVlHt | 


IMM 


DMN CncFMi | 
[Mm M Mta | 


EM* M TM fM> 
CMMi/l IUMr 1 


CM** Ml*. | 
0Mj4 WMFMi 1 


0** < f^Ftai ] 


***** EM*** 


DM * M Wfta | 








DiMn Dmmni 1 












1- 


«- 1 IpS 


Mta | 


I" 


DM*. 1 |W 




J" J 


i 


DM* j 


IM^IMvHl | 


CM*P« | 


GMl»VMd 


QtkUii | DMtaEicrt | QMOMk | 


MMfecM J OM6|M | CMoMx 


| 








Oar^tMtMPMt | 






QMtflttPtor 1 





Computer Worms 7.3 



jVl .iiSSa^SI djLoj jj^l jjI lluSU L& <liA JjS 
.(Internet Worm Maker Thing) *±j<d\ ^> Mj '(Stuxnet) sjjJI JJ^j <u^^ 



(Computer Worms) jSjjUAill 

jjc j t^iili j t l ^ ui ij jlj£" p U Jc aAxux^ jjc. tgjlij SjJ xj^ a ^cJjJ <^A (Computer WOYftlS) 

S-UjI (jj<OVim^l (J^it n <jL*aLaJl djUUJl (J^asu <3jjoj (jla^iJ jl Ajj^^j jLocL ^U^U dlxjj^a .^jLuajVI ci^-^ UJ^ t^Blui^ dlVU^I A^Jjui 
(jjliJl Jc Aijlill l^jj^al l^)laj lg_La ^alaall L-Jxj> <aJj jLaajV! <C jjudJ jlloJ ^aLlaLaIIj jl jjjJall (JjIaJ) J) dljjlj^l! a^^jj^aJ 

(jC ^JJujI j £juJ jl cJ^^ J**>lV^ l(g W^J J-aVl l^A J ^jLudjVl ci^"^ (j^ J A£jjaJU jj^ L-lb >ll J^Jl 6^ L-IL, ^ll 

Cj^Ja ^^jII 6 jj^ /Ml Tanatos *^ t^^j/Ml ^^uiu J£ ^ ^ * j ^> -^l ^jj^^I ^ ajIc. l^_Ld lei ji\ c^IUa 

4 jjAljj JjlXjaLill ^aUaj Akia (jl^J^ll L_fll^Jjoj| ^aJ ,4_1jIA Ijljl l^jl Jj diilkj aJ >* * II J jUll jLaLijl djJjaLijlj ^2002 ^J^^ cJ^-^- 

(jC diLuJ^)l j 

^ jj ^ jl^l .tillij 6iL 5JI ^ d^jJI t fl^iax jL JUL jl ^^>a13 (j£dJ CjVUJI (>aJU ^ jl£ (jlj t( auU^l *^j^| jlj^Iil L-jUaJJ V 

Jl ^j^i ^llj 4<jL^iJI jjj^II s J backdoor worm payloads l^^i^ j^l^ll .CjUjj^I (> 

.4_ijjjj^3VI cjU^JI (> ^j^JI iiiiil ^l^kiujl jSaj botnet ^Ia sbotnet zombies 
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Virus 


Worms 


6 j^-a.1 Jl <!LujjI ^aJ (j-aj L-jL^aS) L_aLJl ^cjuij ^aJJ La (_£J^VI 

.LaLaj* <illi (Jjj^c Jxij ^jl (j^ ;<_£ji».VI jjia^SI 


aj^jjJI jA\ U jj£ jl 'Outlook 'IRC fl-^uAj 


j ^ j^aj l^-La j* J <.sys<.exe<.comJ^ cjUL 

,^Llai3l Jc (jjjjjjill <J-oC 


ja*xJl £LXil Jill (JA l$\ JjAstlL ^a V S^lc S.JjJl 


< >L^a1I jl^aJI C5 ic ^j^ l^ill jl j-u^j <. 1* v-^l ^gjb djLajjjjill 


.^Uaill (j-a a1 j$ > oJ 1$j3I jl (j£-*J S.JjJl t^jjjjjjill £xa 4JjILJIj 


WqA t jj^l ^jV J"^ 1 ^ J^ L **^J^ ^ 

. jl^aJt Jc ja. jA\ diliLJl 


(jjjjjjill jj£I jLaajVI CjljUa. Jc jlaj 





/?ep//cc?fes on iff own 



A worm takes advantage of file 
or information transport 
features on computer systems 
and spreads through the 
infected network automatically 
but a virus does not 



Spreads through the 
infected Network; 



1 



Worm Analysis: Stuxnet 

http://www.symantec.com/index.jsp :j^^5l 

<jjLg jIslxJI 4j&\ j ^LJajl <JL*ult Jc j^ta ^J^aJl JjaJI (j* JJJ^ JJ^ (StUXnet) { "^ u " J' ^luiSjlui 

.^JtaJl AjcI u ^nll (jl^lJl ^J<Q J AjI^jII ^^iilb CAjusl^ a\\ ^ja IaI jjoiJ Uiail j tl— ll t ^ <^l £>,J£J 4_j^LaJl 

t> 2010 j^jAu^ j£>* J <k\J&\ ^2 .Windows ( ,n > ^j worm M 6^" ^jj c> u^jj^ ^ A-^iU) ^Ull <> 
j^jj to^Axld Jj^j La^^JLd ^ j^-la . g.1 > ^nll Lluj jj ^ l&jL* j t^Ui jlx-<JI ^j-oVI ^ *u^aj^kl<JI VirusBlokAda 4-^^- 
.s^lJI CjUV jll ^ %2 j 'U^h j^^ %18j j oljjj %60 fJ^^ ^ 45 CijL^il I^jI 

[industrial control systems (ICS)] ^U^Jl ^211 ou^J JU^L Stuxnet ? « ^Ult ^> 

Stuxnet j .^^W^^ j ^v^l j <jalj-J3 ^aj^LxJI (SCAD A) ^ ^^ic ^ j^^ti \ > ^>j> ai^jj Skj .l^la *^lc]j 
^ILkjj 4 [Programmable Logic Controllers (PLCs)]<^ c# UaiJ! ^S^jsH Cj!^ j V* jj sjI&J ^ s j^3! 

AijjsLxJl jlill (J^J^ 3 (JC- * j^^VU ^ uailj ^1 iJAJ ' USB^^ A U^JJ^^ JjVI ^J jll 4)\aC* ^aJJj .lAAliij ^aJ ^^jll CjI jJJxjll 

j Jl diLai jjjiJl 

6jblj l-ujUVI Ja jia^j 4 ^j^- -j^ v ^ ciAlulaj <!j ;4_ijUJVI Siemens ^j^ 1 o - ^ «UtLui SCADA 

.4jjj^I cj^ILJI 

f^k J^a3I c fl^Jl li^ JJ^aa. ^ I jj£ <LJ j O^ajQ ^jX-LL^a L_S^ L_JjjJal ^jjjLojVI ^ A^j^a StUXnet LS^ ^ Jf^^ L>^ 
^.fl^Jl ^jl J jll ^jVI 4-3jJai3l ^jl Cilia _ J jj^L<JI L_fl^Jl j ja. (JJJ - ^aSl JJ a ^jjJJjJaj ^jUjUJl (jljJ^k ^aiS 4 jUaV! I^A .Aljljjyi CjUjILaII 

^1 CjU» jIslaII Jij £yc&ij tA-LuAjudaJ AjliiL Cjli ^jjjjjjill ^J j ^-jj-C- (jl c^J^J \j» u^l Jala^xJl ^IjjVI ^jjill J^juJ JJ C-t^ L&-^ 
.AjjiLa. jj£I li^A L&A^ 6 ^ Jjjl JjJl L_ll> g^kl] ^ajl ^IjjVI « jjljj» jclLi (jl (_^J^VI <JjIaj3l Jfl*J \ aIai ^UjJUi ^ j£jx» JJ jJJ^ 
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^il^jjj ^£^j£J ^jjj jjujL^ ^l-^] J^J 6 "1979 J^**/ (j-GjJaJJ ^jjjj^iilU <j^aL^JI 4_Jj^j^a>Jl S^ibjuJl Jl J^-^ 

L ^l\ CAjSal\ b±*. jit £>i^J j 6 8200 J^W 4^-* UjJl J 4 L^aj^a^lo j "AjLj! J^VI" 4^Jjuia3I CjI j£3l jl L_S j^stxJl J 

l^gj CllxilajJal IgjL j£i ^ill Jj^U ^Jaji^Jl til .iSjJ ^3 Igil La£ ^"JjjI J^j" S-*^ f^J ■ StUXnet-^ U^JJ^ J^J^ W 

tiU^ t>j ( v^« j cW^ ^jaj" Stuxnet o*jjj$\ Kaspersky Labs <^jlt <>Vl c^ij . jLill 

Jj A-Jlc 4_iLj^j dilj^a l^J^l CjIc ^ jl Lg L-jbuaaJ jjjLuu £-l^)f^ djjLail j ."^llaJl ^jujJ 

6jJj£ <JjV^ fc^lUA (jl j& ^a^lcVl (JjLui J ^ <-£ ^ ^ (^5^1 6^)j1a1I Jj^*^ L>^ J !^J^' O 1 jW"^ J^*-* 

£cjIHj t . UjujJ (jj^J jUlkVI li& jl j tjjljjj 4 g j-^ jj <Jj3 Aj^j^VI SAa^Lall djUV jJl J JJ^ll I^A J^-ii^.1 L$J^- C5^) J^*^ 

jUJI 4£jjuj 4-iuljl jl^ijl ( ; ujudj 2010 j;^;"7cJj\. 9 J ^HJJ^J^ ^*^J C5^>^ is ^ ' " A JJ? cJ 1 .6^^ 

<jSlj>ij ^£aJ ^Uaj (Jla. ^1 ^^stJ ^ 4JU (Jj^l^jj ^l^)fiJl j)^3 jL^ijVI I^A L-jUjujI ^JJ ^Jj tya a3I I1a ^^jII 

#># Cj^L^JIj c . UjujJJ jjl (j^J (jlS (Jjj JJ^I (jl 6L r^^^^ a£jjoi 

Liajl ^^su <j^3 j tAsu ^^>xj ^3 c5jUJI JjjjI/jLanj 20 ^b M1< ^^^ 5^ ^ "^^^ ^^J^^^ <-1o^q ^qjq^l c_uuJI jli 6til3i£ 

oj! jSII j ^ j^J^ American Free Press "SjaJ! ^j^l AiU^" ajSj^Vi Sj^I ^jjI j ,3jSI jJI j ^jII ^Lkj ^ JLk ^l 
.42 tao^ ^ o^iftlt CjUV jll 4jLoi^ Stuxnet jj^^ ' jjf^^ ^ "u^h'j^V" uj^ JL^I J 

3JI ^ ^juiIj jLkj ^ ^u v^m^ l [industrial control systems (ICS)] aj^U^JI ^j3I a^j\ -u^I^j ^jL ("nm^m 

^^ic JjAxjII (Jj^la j)C tilli j 1^. ^^-d lS^*^ 6^l*Jl Lft£ ^1 JjuoC cJ^^ cJ-^ V C— Uil JaxJ ^^jII CjI^. jll 

A^hL C 31*jj a5 jli c^ 1 ^^ j * j*^Vl (jl ji^l axj fjiL il .Programmable Logic Controllers (PLCs) 

JasJU I^jjj A^Ai J^iL ^jL Uik^ U^jlfi <1U. ^ j t (Siemens Step7 software)^^^! lpi > ^ 

jj CjI ^ ^1 iaiill Jij Ja jjn^ j)-G I^Ll^I^x laj > >n ^^jII CjLuHaII ^Axjj ^3 j ^aall A lLux!\ (j* Ai^jjouJl oLui!a3I j^^J j 

# 4JLjjj l_j jjujL^JI t^ljjjfl cIa^j ^1 lil Uil ^ uALiaJI ^ji^jjl jIujVI CjUiixJI (jxi Ia jjc.j Ajjjill Cj^IcILJI ^"^j ^U^>^il 
^£^j3I» jl (SCAD A) I^^^j (*^^ cr^'j ^ J^J '^c^ cl^J ^ 1 "» f J?^^ lIl^j 

^ia^j Ja j^->^ ^jH.'"^ '^^^ ^^)^ "J^^ tft^^aLLft CA *\ iklLoiV 4_ijUJVI ^La^ ^^>^ (j^ ^ a 1 ^ ^ ' i^asLxJl ^-<^j ^il^JujVI 

.Uiiajj ^5 ^jII CjI jAiijll ^.li^lj t (PLCs)^^J^ ^^iSal^l ^Sa^ll CjI^ j 



i Documents 1 Jjj^ ^^^^ 



Design Documents 

www, nfiypremierfutbol.com 
www today sf utbol com 




wJ 

Commands to sabotage PLC I MJ 

www mypremierfutbol com 

www, today sfutbo I. com 

< j lUI^ jaj" Stuxnet j "Kaspersky Laboratories "^^j^l^ cjIjILLa" Aj^jjJI (>Sft 

^Jjj^aj Cjlj^a t$J^ CjIc j^^ ^ jl La <Uj^ L-jLuoaJ (jjlxisu ^l^)f^. ^-JJ ^Ji djjLail j ."^llaJl ^LaaJ (jliuj (jLkj jl <jUjj j)^ j 
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.(auto-execution) ^1 .\jqV^Lj ^Luaili c a* > ialij J^lilajlj <JI j^U <Lli3l ^j-^ljaVl CjI^j^g J!^. Liili ^cjuij ^Luijj ^isu 
.Windows Print Spooler ^ Windows J^ull ^Uaj ^ 4_nJ Sjij JiLk <> aJ^JI a£j^3I ^ j^iij 
s>j ^ cUUjII J^U <> Microsoft Windows Server Service RPC J^i^l c> SMB c&j^ c> 

.Remote Code Execution 
^UJI J ^ - ^ j ^ j£ cs-^ J (network share) ^£±^1 dA£ jJL* axj ^ jjj-n^ill Sj^l Igjuij ^iiij 

.WinCC database server 
. Step 7 projectd^ ^ Uiiiii Ahj^\ Ji*j step 7 projects J] 

.LAN c>^ peer-to-peer ^ i> cjj^Ij ^ jL 
jj^M unpatched * «« >^ 



Uj jJI cjUuIxjII ijiiij J^^f j^W^ yr^ (command and control server) ^Lkj J^4j 

cijUaiJI JjW^ ^ 4^\±l\(binary) ^1 aA±1\ rootkit windows ^ 

jj^j iib ^ill j links files j^-^ ^.Lunjjll payload ■} c3^" cs-^ ^*L>^V' ^ worm j ^1 u£l n 

JLk^l *^lc t L_iiu^luj ^ j^. j ^jc c Lu&ll j lIjUIaslSI j djULJI <J£ plikl (jc a! jjjoiaII rootkit j> j sUjlili j^ll ^cjoij 

Jaj^Jl CjjS jJ lij . JJ jAlx^l ^ dlla^l^ 4 jJjIslxJI J£ ^ .PLC J^"^ C5^' J^f^^ STEP7 

jjib ^Ijl *Ua^lj o^^^ c>j 'STEP7j PLC rootkit ^ jj^ < "" .. i^ .. i jli t^lj^ ^ 

PLC ^ 

s jLUl ^l^VI c> u^^j (resource)^ j^^j (export) c> J^- (-dll) c> uj^ ^nni^m 

^ j yr^ ^^^^ ^^-^ CjUIUI aJs\ Ntdll.dll .(encrypted configuration blocks) 



LSUJ) ^jIaJI .W32.Stuxnet ^-^^ ^^Jl ^Jl V^j j^I ><J *Lu^V! '.(specially crafted filenames) 

l^uij Ja.b <j j^JI j^UxJI AilS ^ l?^^ (wrapper program) <-d*il ^^jj ja ( "n i n^ i nU (dropper component) 
t>° (.dll) ^-jlaL ^ j^laaj (wrapper program) g-aU jj jli t^j^jll liA iiajj Uii^j ^"stub." ^ ^ ^l ^Sll 
(jli 4 (export) ^^-c-^*j1 ^jj UiAic. .export ^^-c-^iwj^ ^ j^i c *j}~** oj^lill jl ^ IaxL tsub. 

^jli tl^j Jjjii j-<i 4_iLftc (ji^JI ^jj UiAic. ,4 m ^ export (^"^^o ^ c5 cAAac 4_L^U .dll *^lc tTi. xi. 

Jj^j a^ijj ^illjHost intrusion-protection based technologies j behavior blocking JjW^ AijjL 

.library calls 

S^^Lj jjjJall ^jL^JV 1 > j (jl Jj] ^ diUi jlx-<Jl A aW)\ ^^ic dlluj£ jIuj ^jjj JJ^ ^I^JjojU ^^H^ ^ ^ ^^-^ L)^ ^ JJ^j ^ .VqWj 

tUuUJjljl ^ %18j L^^J U^Jjj %60 (^^^ S-^i^ 45 ^ l^jl J^J tSJ^aU-a Jj^J ^jJ^ 

Infection Routine Flow 

.Ifrl^i A ^J PLCS C5^1 <J J^^ CjUjajLojl ^^ic bjkl ^SLi L_S jjoJ V jl PLCS ^-^-^-^ L— llal£lai CjLuflJ Ajujjjlla Jj3 



Step7 
Control 
Software 




Control PC 
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~ ikluiAll WinCC/Step 7 o."^*^ ^j^sII Jc c flj^Lmj Ciiu^luj sI^Iijjj ^iJ 4 m ^ JJ ^^-^ 'PLCs J] J 
CjUjI^ ^ Jj <J jll j djUUJI <JA£ 130^ PLCs J cJ^^Vl £c-g^>j-a13 (j^j 6^<ilj^)JI 11a ^ .PLCs el) - * ^ \j* * ^-^^>^ 

Jj^a c*i&aj3 PLCs ^l^c-l ^jj <jt ^>^-aj .LLLuj IgJ-L&^j* jI j£I > <aj jl ^AjIc ^c^lj^JI lSj^^ ttilli (Jjj^j SjIcIj tSj^lill 

CjIa*_a3I o^axJ ojjj^ j 64j£j£aJ) SU^JI J La JL* ^ j-^ Sj^s !^r>V .Ajuoij e-lili (j-G cJ-^ PLCsj jj^j^ 




STEP7 g-UjJI j^j .PLC lMj^ 1 s7otbxdx.dll (library file) ^ f^-* Step 7 gAwll 

Jj^jJj PLC i> ^ jSVl c> jl£ lil t Jllftll JjLLaj Jc .PLC J] J DLL ^ J cjUIjsJ 
Uj^ij jljSVl !>i <PLC J] Jj^j^j ^ jS3 s7otbxdx.dll J ^j^ 1 .s7blk_read *\e>&J ^jj ^ 'Step 7 

: JU3! ^UJ! ^jll <STEP7 g-UjJI 

Step7 



Re quest 
code block 
from PLC 



Show code 
b I o c k f r o nr. 
PLC to user. 



STL 
code 
block 



s7otbxdx.dl! 



PLC 



s7blk read 



STL 
code 
block 



STL 
code 
block 



Jj^aVl t aLlli Aj.At.iiJ JJ3U 6LllLa£jjuJ J-SJU LdJJC .Cl±Lal£ial CjJJJJ JJC PCL J) J J^ 3 cl**^ C \fi J^ U*^ ^ 

.(injection technique) cjUjE fl^^? Alk^ ^ ajL^VI DLL J^f^j ^ ^ .s7otbxsx.dll J] s7otbxdx.dll 

.g-al jJt f j*. J t> PLCs J] Jj^jil j^j (f^jldul) calls c/t o^t j3&t ^i^Si^ 



Step? 



Re quest 
cod e block 
f r o m PLC 



Sh o w c o-d e 
blockfro 1 in? 
PLC to use r . 



Modified 
STL code 
block 



PLC 



s7blk read 



STL 
code 
block 





sti_ : 




code - 




block : 







sTotbxsx.d 
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U*- 109 w& DLLJJ <Lu^3l(export) ^ 5^ c> c?J^ s7otbxdx.dll c^l^ l^j 

<s7otbxsx.dll yr^ t AjLiaJ ) DLL export 4_nlt£ .l^ij CjUIIJI ^ J^UjII l^J 

^ ^j^Sj tliA .Aijjiall l^jt-d J^UjII ^jj export 109 93 • t - J ^ ^ M j^j* *C5-^ ^ j 

16 cjlji-^l .("n.. i^".. 11 o-aUJI JaxJI DLL tM c> ^ ^ t> ^ cl^j \ U y^ jj ^ii V ^jII 16 cjlj^L-all 

(jlaljjcl (Jjjia (jc .PLCs ^5^* ^^J^ CjLuIxjII Jj£ ^j^Jj ;4_jU£3Ij ae-ljall CjUIjaJ ojLc dbJajJcl ^^jJl (export) 

J^U <j1 U£ .PCLs <J»^ tilj^j t> PLC i> s^jUI ji ^j-all cjUUJI JjAxj ^ IjjlS jA ("n,,i^,,i cjUim aiA 

.PLCS cs^ ^jljii^l ^ jiS t*n,,i^,,i a^A 

.y?^ yrM' z^ja ^ zero-day 

V Lo^JC .^uiUjll (.dliy 16 ^-jlj^l^all ^Ic^ILujV ^IAxIojVI ^ ^1 (Jj^^ ^S^^^ 

Jj ^u ll ^Uaj <jl£ lij >( jj3a^SI jjjjax^I ^j^^JI Jj t . ^ I ^Lfej C5 Ic^ l. Vnm^ [attack vector) dj^iU ^^kiauj .zero-day 
ftkj jl£ iij y ai\ jUul J Task Scheduler s >j 'Windows Server 2008 R2 jt <7 jj^j jj^j 

jUial J win32k.sys ^>ii3l Jii^j jli windows xp J^^> 
<!L^. Csrss.exe ^l^c- cJ^-^ *\ ^l^c- 4jI£ a L« nil ^jj DLL t -c^^J cJ^^ djljiiill o^a tJ^^Uujajl *j tit 

.Task Scheduler s j«51l <JU ^ J j>^Jt c_>l jUut ^ jt win32k.sys s j«51l 

Task Scheduler j win32k.sys J^J^ uj resource 250 ^ W^Jp^ ^ win32k.sys ^j^' ^j*Vl 

j W patch c> 2' ^ 

t^jj -uli 15 fSj(export) > ^ tVu^'im L >^^i JUu£t tAsu 6Ciiia£laj l^J n ^t ^ ajSUI) 16 djtjt^aVt jt ILLoj U1S U£ 

.16 J^^alt ^Ic^loat 

ibjLi tAki ^^t jjj^lt j-<i jt^^Vt ^jj Cy* jjF 2 *^ . ciiiua£jjaii3 ^^jaijjjlt ciuiL&lt ^a (export 16) 16 j^^-^Jt 

^5JtjiU <LU3t j-al jSVt cJS s^q^ Services.exe ajLc- ^ ^aij jl^j ^registry j rootkits ^-^j 
^^1^5 ^t (^to6a/ mutexes) W* 11 ^ ! J^ 1 ? ^STEP7 Project STEP7^i^ ^ ^ u 1 ^ 

jiaJj t*Ui Asuj 6<jJL^a jJj^ilt CjUIij Ja Q^aij Vjl ^ jSj ExpOrtl6 . RPCf^ C5 3 ) ^J^J ^1 ^ j^JI J^j^J 

registry c 1 ^ "NTVDM TRACE" ^ <> 
HKEY LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation 



Lrror 




Check CFG 



Infects 
removable 
drives 



Inject in service, 
call export 32 



hi- 



Inject in Step 7 
& coll export 32 



I nfects 
Step 7 
projects 



Past deadline 



Reg key NTVDM 
Trace=1979052'9 



Oat e<0 6/24/201 2 



Infection 
Routine Flow 



Create 
global mutexes 

K 



Set DACL 

HZ 



Check OS 

]—■ 



ViElaor higher 

"v 



Hides 
malicious 
files 



Create root kit 
service re g keys 
.A. 



Inject in Step 7 & 
call export 52 



SetSACL 



Create global mute* 



Create . pnf & 
,cfg files 

v File OK 

Date<:0&/24/2O12 







1 


Oem7a.pnf 



J Decrypt & load self 
from dis k. Call exp ort 
6 - get version 



Set file limes 


Exit 


A 






Decrypt resource 201 


ft cKrfkrt files 


& 242 & write to disk 


^ 


V 


A 

Version OK 

Compare running 
version number and 
version on disk 


Mrxcls.sys 
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Worm Maker: Internet Worm Maker Thing 



J&\ jj^ill J jUJ 1$jL&! j£ ^1 £±ij±i)l\ jIjj^II .sj ^UiiV stal ^ Internet Worm Maker Thing 

'poison a^UII <> < qj > h^ l lJ^Luj ^1 preset invasion proxy attacks <jJj*VI ^ ^ ^1 CjI^JI ^ 

P 



Initrr-et Worm Maker Tli n<j : Vef siort 4JO0 : Public Edrtcn 



INTFRM=T WOftv MftKF-R THINT.V4 



<~~ Artiste r»--oadb 3ri Dote 

r r 3 

cn 

r Rare&n U rnzii. a ue. PaYtoads 
ibi I ouamce; 

— Hit Ai D-lTCS 

— [lHKJ*t r™k Marram 
~~ Ctsotfe nejbani 



i : 



I Chan^ m Rtg Crp— — i 



r cn 

URL: 



I - Doafclt MdndtaMia learnl* 

D<udu Narbei-i San-rrr^. 
' i Inrcfttli Hwim Srrpn -dnr*inr; 

I DtKaNr: R.ui-. Ccroind 
l~ Doable SkiMowi 

I - Disable Wndbv-s Update 
" i -J [■ iiEdTzT Lamrsan: 
i~~ fw^i Mrn. -if H.iTtrn -- 

jkju 



I Chefise IE TrHe 5 



I - Oit3CKK=iM- 1 3 I 



I Ghana* wr, =*»«*rTr*i 
_ e*?- 



I - Lot*. WbruUOV'i 

I - DQMTlDflC HC si-.— - 



DO W I 



I — hT-*-i1 A'irrl-YV? 



I L ::■ :(_- -Tuli |J 

Kids dm- -tor- 

i— Utsi**c FHaMarc 

Remove 
p- DtsofcJLe IMMtaM 

Fife Pr-itcctlDn 

I C«TUPI MnDvlrus 

I 

S h^rxF I»tx*- 1--™-, 
DLL,E*I , ECQ: In: 

P" *(id 1<3 Coni^rt Menu 
Change CladiTnt 

I 



I - inlecl '. naPies 
I - Hce M -j j Fics 



Vail Me Sn 

P WW oi1n4 w I "dW 2>Mi^ 1 "I i 
ConU nil P-»oel 



Malware Analysis 7.4 



tdli iiiij ^jj Ui d^Ic .ajjujI Jj^aiLd (J£-xfaj ajj±lS1 cjLi^jJ! iki 4)\ac* aJu (Malware Analysis) ^ y.^^ ^W^j^^ <-!^^ 
^jIjjuJI AlnaJI ciaLi^ ^j;^ (JjI^j ^l^>^-j cJ j^- a L ^>q^ CjU» jlx-d ^3^^ ^ .(JAuiaSI a£jjuo3I jl ^Uaill J ^ lAAiJa l&iL^j! 



What Is a Sheep Dip Computer? 

.3 nvslt CjLi^jJI (J^i ^ Ia jjc. j cS^jl jll Jj^jii j CjULJI cJ^^ c^-S] j^Aj Sheep dipping 

Jjs CjLoj jj^JI ^'j?^ -kLoj jll djULJI jlii^V ^vimj j^>^<> jj Jl^> Sheep dip computer 

J CjL. JJ: i3l ^> a<^1\ fj ja.Vl jj j^Jl s jf^t c> j^^^ J ^ "Sheep dipping computer" ^ 

4£jJo3U <Iajj ^alij CjLoj jj^l 4jail£^> ^Ijjj 4a£jJo3I c_jaljxi tdjliLJI c_jaljxi tialL<JI c_jalj-<i <ja lIujjj ^jj Sheep dip computer 

Sheep dip computer 

.CjULJI j*j (device driver) * ^ jt 4-^^ j^ J^-*^ 

. Jj j^JIj registry j^ 
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(Antivirus Sensor Systems) cjt^jjjia]) jtili* 



.Sheep dip computer l^ hyim l ^ jj^ 3 ^^ a ^ » j *u'^' j jj^ 



Network 



& □ 



System 1 
It 



System 2 



'4. * 




Allowed 

Traffic 



System 3 



Anti-Virus System 



fib 

ft s 



Anti-Trojan 



EE 



Anii-Phi&hifig 



Reflected! 
Traffic 



Allowed 

Traffic 



Anti^m w *r-* V Relucted 




Tuffii 



Email-Scanner 



Internet 



'(anti-Trojan)*^! jj± ^ (anti-spy ware)u^^! '(anti-virus)^^ jj^l cjL* jjjill ^Uaj 
^jjj I^jV .cia jijyi j jjj Ui l^*ja j ^ <oix. ^kj 4^ jj&WI AD**' o-^^ j <anti-Phishing <anti-spamware 
_(J^^,^]! d^)L^]| ^)j^>-^! ^^>^ o^-j (J">1^ ^s^il! ^9 da^^II (genuine traffic) ^ <q<q^\ i a^^^JI ^'qq 

(SjLill gAlj^l *L>*!) Malware Analysis Procedure: Preparing Testbed 

ls .windows binary executable ASaljia W^ T -° cs* cs* * J-^ j^t .^aJI 

a ^l^cV SjLjall ^il^Jl (JjI^j] ^nati e-I^^Vl Uua ,L_*3l^Vl (j-a ^ ^ 

B( >Uall Oracle VM J Virtual PC J VMWare ^ ^ - 

. Virtual PC/VMWarec> ^~Jt J^ll r Ua Ci^ii - 

."host only" ^ NIC *3Lkj J t> <> ^ ~ 

. (guest isolation)^j^3t J >- j (shared folders) a£j1^J! cjI^J! ^ikxj - 

(Malware Analysis Procedure) SjUill g^lj^t ^Ij^l 
.<JaAj jjc. AinaJl CjU^jJI (jj^** Lft^jc (static analysis) ^ cy^* ^!j^-j !l *^ 

.BinText string ^ c> s^cU^ ^ binary ^ j string ^ 

BinText ^ 

http://www.mcafee.com/us j^^3> 

ANSI) ^j^hj^ t^lc- ASCII o-^ jj^^ s lU^j tdjULJI ^ ^jj ^1 (j-a^l ^1 jaax*it -ulxij BinText 
.o±j*l\ ^ "advanced" j^VI y-i j^uc Jill SAjLa CjUjIx^ j^jjj resource strings « (^W^ 
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Bin Text 3.0,3 



Search | Filter | Help | 



File to scan | CAU teii \Adnw*a***n \DesktopVselijp 
Advanced^©** 



Browse | 



So 



1W taken 0 1 OS sees Text we 37340 bytes (36 4GK] 



M em pos 



I 'D It. 



OO0OQOOOOO4D 
OOOOOOOOGllO 

000000000250 
000000000273 
00Q00000C29F 
OOOOOCOOC&BE 
OOOOOOC0090C 
00000 i ; 00*928 
OO0OO0OO0E44 
OOOOOQOQCE 70 
OO0OO00O0E9C 
OPOOCCOOOE C8 
OOOOOOOOOE FO 
OO0OO0OOOF18 

mnrrrifinriF44 

in 



0000 30000110 



000030000250 
000000000276 
O00O30O0029F 
000030001 3BE 
000030001 SOC 
OOG0300fJl52d 
000030001 AA4 
000030001 A 7D 
000030001 A9C 
000030001 AC 8 

O00O30OO1B18 
nnnninnniPijj 



o 
0 
0 
0 
0 
0 
0 
0 
0 
□ 
0 
□ 
□ 
□ 
0 

n 



■TNs prop am camot be tun n DOS mode 
RicheWL 



@ leioc 

I sf^oeeis^fFeaiurePTeiertt 

KERNEL32 

Gerwal^ AppName 

Getwai_ R eportee 

FiesToDeJete 

FiesToKMp 



L 1 


AN- 1840 


[UN: 373 


RS:0 


i 



Er>d | 3«v* 1 



UPX 4 

http://upx.sourceforge.net 

Jaijja jj J^aal six. I^jI . Ur > ^ 1 c^!a ^ 1^ j (excellent compression ratio) * J**^ <^ ti*^ UPX 

.WinZip/zip/gzip 



Ad mi n i straton C :\Wi ndo ws\syst em 3 2\c m d ,exe 



■ 



: \CEH-Tools\CEHuS Module 07 Uiruses and UormsNCnm press ion and Decouples; 
1NUPX \u px3 03 w\u pxJ 08 w >upx * e xe 

_ Ultimate Packer for eXecutahles 

| Copyright <C> 1996 - 2011 

X 3.0fiu Marktis Oberhuner. Lassie Molnar & John Ffceisei* Dec 12th 

sage: up* [12345G7B9dlt hUL 1 l-qufkl I-* file] file.. 



wtands : 

"1 compress faster -9 conprass better 

-d deconpress — 1 list compressed file 

-fc test COnpressed file -U display version nunber 

-h giue more help -L display software license 

pt ions: 

-q be quiet -v be verbose 

-eFILE write output te 'FILE* 
-f force compression of suspicious files 

h keep backup files 

ile.. executable^ to <de>eoFipress 

ype 1 upx — help* For nore detailed help. 

PH cones with ABSOLUTELY NO WARRANTY l for details visit ht tp : //upx . sf , ne 
» MJEH -Tool rxCEH v B Module 07 Viruses and Wo ruts \Go pi press ion and Decompress 

i\u \upx3aew\upx30a w > 



■ 



J 
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Process Monitor cjUUxJI 



.Process Explorer j 
Process Monitor *k 

http://technet.microsoft.com/en-US 



.process/thread -SaLijj < registry j 



Cjajll CjULJI ^tkj j^-ki ^1 a^S&a jj^nj ^ j sbl j& Process Monitor 



File Edit 



Process Monitor - Sysinternals: www,sysinternals.co 

Event Filter Tools Options Help 

^ p> & 




Time of Day 
12 13:4£ 620 
12:13;4€620... 
12 13 4 6 621 
12.13 46 675. 
12 1346 677... 
12M346.679... 
12:134G6S5 
12.13 46 685 
12 134E6S7 
12.13 46 694 
12 13:46 695 
12 13:46 696 



Process Name 
^Eiq^loner EXE 
^Explorer. EXE 

■Explorer. EXE 

Lmmc.exe 

tmmc exe 

immcexe 

iilirefax.exje 

jFirefaxjexe 

Lmmc exe 

Lmmc.exe 

Lrmnc ®ce 

Lmmcexe 



PID Operation Fath Result Detai 

23S4 ^CreatifiFdeMapp. C:\Wlndowa ""^SysieffiS^jrriageres dll SUCCESS S>ncType S>r.cTy 

2334 ^OoseRte CAWridowa XSy^ern 32Nmageres.dll SUCCESS 

2334 -ACrcBteFle C:\Uaere '^r™™3ti^cy\AppData\LjOMr\.. SUCCESS Desired Adccm: S.. 

-11CC 3t Rea c File C:\WndGws\ttcrasoft. NET\Framewark ... SUCCESS Offset : 7. 623. 1 68. . 

4100 ^Fbadfile CAWndovre\MCT>soft .WET\Framework.. SUCCESS Offset: 7.557.632. 

4100 ^ReatiRe CAWiiii[^\li§ciQ^.NET^^ SUCCESS Offset: 7, 574.D1G. .. 

2760 A TCP Receive WIN-MSSEUCK4K41 :1D56 -> WlN-MSS... SUCCESS Length: l.aeqnum:.. 

2760 A"TCF Send W IN-HSSE UC K4K41 .1D55 ^ WIN-MSS... SUCCESS Lenoth. 1, starting... 

4100 BLReadFie C \Windows\Wcroaoft .NETVramework... SUCCESS Offset: 9.322496 

^1 C □ ^RsacFile C:\Wndo w8\WGfDflaft.NET\Frame work... SUCCESS Offset: 9.547.776. ... 

ilCC j^ReacFile C:\Wtw1q wsXJUtcros^.NET^J^ramework . SUCCESS Offset: 9, 535.4SS 

41CC ^ReacFile C:\Wnctows 1 \Mkrosoft.NEr^ram&work... SUCCESS Offset: 7,803.392. .. 

■ iimi M ii iii i lu ■ «- i j-* .^i-^i-i-^ oa , -» 



Showing 39,723 of 186,768 events (4B%) 



GecNd b> . irturtl memcr, 



NetResident c£ * ^^jj J^^VI CjIj^I ^I^jjojU <£jjuo3I jjj-a ^^>^- <^Aj* j^*-* cJj? » ^ !5 s 

TCPViewj 

(Jia J^joJI A^aj djl j^l ^ s^cLaixi ^ registry c^-^* ^j^J*-^ (duAjl c ^j3I CjIjUtII t^iLjaxJI dAil*!! ^j^j ;6 s j^^l 

Regshot 
NetResident ± 

http://www.tamos.com 

Jl* 4a£jjoJI <iajaij|j cjI^VI ajljujIj <c o ^Uj s^lclj ^jj^^jj Aj^a^i aAjyax 4£jjaJ! jla q (JjI^j] (J^fiaj j& NetResident 
jl^JI ^jia^suj tcilli ^isu tdjUUj o^cla ^gJI CjULiJI hq^jj tA^jJall ^^ic CjULiJI ialiiilV <xi^l<i U^. jl 



r k= Se»ch '/im Events Took h-tefci 







1 ST^ F 








1 j ewi t » 












G™« Count 






| RrwtBcxi 






| Rartv B 




B 


- G3 ~ 




I 






10/5/20 12 2: 1*3, 


Ml Web 




1D7»5 


nrvy4tBrt-4fM-hji 


BO 








3« 




VOfSfX L2 2: 1, 


10/5/30 12 2: 1 




wimjtQf+i . . 


lli>4 








— [EI ProtDcott 




1 




iO/5/30 12 2 : 1. 


UD/5/2D 12 2: MHL 


^ . - - -r r 


WtW-LSQNi. . 


11Q9 


maaQ 3b£Mhti . . . 


44!3 




Weft> 




3i6 






10/5/3D 12 2c 14S^. 




wm -UCQN 3. . . 


11UO 


mMG 3904-T1. .. 


4-43 




-+ [3 Pii^tV A 




1 




Id 1. ZO 12 2:1. 




. 0 Web 


mN-LXQNi. . 


1111 


rnaQ 3si34-r-i . . . 


4-13 




i [3 Party B 






a 


I "V - 7 0 12 2:1 


10/5/20 12 2: 1* 5. 


^ Web 


ww-Lxqwi. . 


1114 


i— oaQ 3B04-n. . 


BO 












3JO/V2CH2. ^ L 


10/B/20 12 3; 5- 




WIH-LXJQN3.. . 


1114 


™mQ3eO+*i 


BO 












iO/S/2012- ^ L 


12 2= I-*: 5- 


_ - r 


VWI1*-I_XQN 3- . . 


. 1-^ 


maaO 3s04-n . . . 


BP 










a 


10/5/20 12 Z; 1 ... 


lOv S.'SO 12 2: 14: 5. 


web 


WIH-LXONi.. 


1147 


maaQ 3s04--n , . , 


443 










-i 


10/S/2OX2 2j 1. 


10/5/20 12 2: 14- 5- 


web 


WIW-L3CQN13L. . 


1163 




4413 












10/5/20 12 2:1. 


10/5/20 12 2: 14:5, 


4g| Web 




11 14 


maaa 3*04-*i 


BO 












10/S/2O12 2.: L 


10/5/20 12 2: 14c 5. 


v ^ web 


WtW-LXQf*3L. . 


116.4 


mH0 3s04<^.. . 


BO 












10/S /2O12 2; L. 


:c. S-20 12 2: 1S:CJ. 


Yt- 1 web 


Wm-LXQNl. . 


ID 76 


mrystart-4(M-hJ 


BO 












10/S/20 L2 2; L 


lO,' 5/20 12 2: IS: 2, 




W1H-LXQN 3* . . 


12£>S 


rmaO 3s04-*ti . . . 


BO 


















1 










[vent D-<~ bai 1 1 
























£3 | | fr-i l 


- J 1 Me 


>re. . . 




















POST ceqLi«t ta httpi/ ^ n«vs..90H0<|l«.co. my" n^vtrs / r/ r 

















■aid 



Value 

5 27 7 T33 7 3S. SZ/rTS 91 632076 . SZ/TT^aESZTS^ -SZ^rJS^lSOBS 1 i 7 7736 3 1! 70 7J 6 . &2 77 7S84 3346- 1^4 
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.ProcDumpj ollyDbg J^(debugging) > ^ cjUjkJI -j t>jh±l\ 

.(Service requests) CjUIL <♦ 
(Attempts for incoming and outgoing connections)* j^Jl j ^ jl jll cjVI^jVI CjV jU^ ♦> 

. DNS J jMI jk* ♦♦♦ 

OllyDbg J- 

http : //www. ollydb g. de : j^-a^ll 

jjljUJ (assembler level analyzing debugger) <^ l9 J^- gj^ > ^ cJi^ ^-32 ja OllyDbg 
. jfl jlo jjc^ jjj^aJI l^ja jjfL ^1 cjVUJI ^ o- 3 ^ ftjjLft Uix^j ^1 j (binary code) ^-£11 ^ j^VI JJ^J . Jj^j 

"EE 



OllyOtvg OLLYDSG.tXE [CPU main m^cod module OLLYDBG] 

F.I* Vww Octn-«j Pluqini Options Window I lir|p 

»J«jl2«j >JiiJ ^HjH ^n^ii jjjEjMiJJw).EJ-^J^«J.aJ^J^].«J slalzJ 



EI 








•* ■ .. :■*-.. 


£& TOFFPf PF 




- ; - - iUjU'L 



C*ftLl_ < JMP. UKCArfi.92.Ht wAl lec> 

PMSM EflK 
PirSM FO-- 

e-"»SH DWORD PTH Dfti f4Ml sfia 

shoAt c%ln ^i w. gal x wa 



i F*TR CKGb [4 



: . c ; . «:• 

- 

j 1*5 



— it ias* 

PMSH EttX 



Ot-LV 





OLLVOm. < ttmtlm NtM r»Poii»t> 



• <F 




MM Ctwd A A * m Err 
FCW K*^ * *■■*•<= K»A,S» rtMk J 1 J I t 1 




<*. LVD6G. <flra*j I ■Enf rwPe i pi t > 



.Open cjj^ ^ j^-^^ 'S^^ ls j^VI -^j^ ^ File tjj^ j 



3fe 

File View 



OllyDbg 



Trace Options Windows Help 

U **=i »:l *sl 1:1 ^Ll_yJ L 1 E 1 M| T | C | ^.| _BjwiJjlJ |= 



■3fe Select 32-bit executable and specify arguments 



Look in 



V*u* Total 



Ha me 




Date modified 




| ■ 1 tini.Exe 






a| 






Ml 




| > | 



Rio name |ti 



Open 



filea orf type. f Executabi« file T ea*) 
Aisjumenrs- 



^ | CaM-hcel 




I OI^D bg v2.GO (interfrtedi^te versiorf - undei developrnent! I 



Ready 



I^VIS a1 ^UjJI i}A^ q\ (tini.exe) ^^^^ ^ 
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llyObg - tinLexe 

File View Debug Trace Options Windows Help 

>cV~ III *»=| »=I>:1 4:1 ^U_uJ l| e|m 



1-1° 




[c] 



CPU - main thread, module tini 



■ : > : - ■ 

EC B7*B^O0O0 

e n ■:■ t 

6 o a l 

Ee DeezeesQ 

R3 Pl^-di 
6£:C70E- ftt-^L 

6t>: C 7 CIS fl9 31 
fiA it 

6S R&3 



.I. . i- -set * l ■ L.ae^^ei* 

PUSH lOl 

CALL <-_nP . .Hll5> 

_ .:| I K 
PU-3H 1 
RUSH 2 

CALL <-JrtP . 32: . »23 > 

rlDU ObJOPlD PTR DS : I 4^:^ 1 H 2 1 . CAX 

rtOU LU>. HJ' p-h Di! L^e^i^t] r i 

I - I O ~:D PTR DS : [ 463 1 Hfl J , 0 

rlO'J ijJC4=!0 PTR L>i s [-i03lfl8],611E 
PUSH 1 O 

Ri i-^:H I" FF SFT 15 L r, i f 00^ 0 =: 1 Rk. 
PUSH DWORD P TR DS : [^9Blfl2] 
CRLL tjnP,&tJSOCK3?.«S> 
PUSH ^ 

r-.i-iu r i.i.-.rr. r tr r,-.= r j^m a.--i 



00^0 



913 

1015 

: n i m 
101F 

3 M .- 
3 U _ _ 
1 r. = P 

1 042 
1 n-4:-: 
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GO ^L'39GG 
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*>f 6C> mm ee ee ee 
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> J El z: z 1. L_l 




0u-5t- loee 


EE: 


^F4C >■: t-o 


F";r 


00 1 1 
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EFL 
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3£t>lt 0( FFFFFFFF) 

32b it 0( FFFFFFFFJ 

32ol* 0( FFFFFFFFJ 

32bit 0( FFFFFFFFJ 

3^bit? 7F4DF080 1 FFF J 

3&t>iV 01 FFFFFFFFJ 



FFS 
0913FF90 
001SFF94 
0813FF9S 
0S1SFF?C 

ee 1 sffro 

00 1SFFO4 
,t i(7 . -, z FiFB z : 

00 j : FFH 1 
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■: " _ FFE: I- 
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O0L8FFD4 
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Entry point of f zi»" ri" ocU _i e 



.Alt+L yr*^* l£ j^W ^ jL-alkt LuLoj jl LOG <jja ^ View <ij* j^W f lS ^ j^VI -^j^> c> 

tini.exe log ^ ^>»J ^ ^lun 11a jl 



OllyObg - tinLewe 
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^1 



CPU - main thread, module tini 



Log data 
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□ Lf* crenr PE h«'adfrr« in f L 1» and in 
■ Sv* update L* p#ndLng?l 

fAoaw Lc C i ^ hf L n dow*^SVSTEFl3£:%bcry pt Pr in it L v>* * * d I L 
D i f # tr*nit PE hvadrn in f k It- and! in ntnory 
(Sy^terv ucdate L ^ D-endirnr' 1 

HgkJu Lr C5 ^-y In d ow»^SvSTEM3^CR VPTSfiSC , d I L 

□ itter e-n T; RE headers Lm f L Le and in PUCftor^ 
(Svi«.t<e-m update pen <d tn ? > 

Kodu L a Ci L n doi-w^S-VSTEirlS^^S *o LC L kdl L 

D Lf f ertn t PE headtrt Ln f L la and In ^tMory 

C Sv -b. t *-r> uedatt L •* p«ndLng?l 
Hodu L e C ! ^ W L n dow&^SVS TEr|3£ "-KERME L 32 

Dif fsrsnt PE heade-r-& Lm tils- and in 

(Systen update- is pending? J 
T Id du Le H: U l r. dou = - S "= ~E 1 £ Z F.FCRT4--J L . 

Different PE header-^ l n f l Le and m 

(S^sten update L pendLngTI 
IV>dui L e C : L n dowtsSVSTEM32\NS 1 . d L L 

D 1 1 r ■=:.--■£- ^ t ?- E r ; :d:r: Ln > i 3n 3 Lr 



oonen It * ) 

UomsvllLfu4e£%.ULrus TocaLvr LfiL. 



»d HorrwMJ i ru i 'J L ru 



T ot -a I * L n L . ew e 



. DLL 

i n nenory 



- 



1 mtry point of m-atn* fr*odkjl© 



I Paused 



JiLd Ia^jjj CjUUjJI Ajj^>3 o^jjj La l^_L<i jlii^j cjJ u1< ^^ al.^lml iA'& aft VIEW cl>^ 4J.i>.>i1aj1 ^jUII 

> j^j Memory map j Executable modules 



Virus Analysis Tool: IDA Pro 



http s : // www . hex-rays . com/ index . shtml : j^-a^ll 
# u-£LJIj Jj^jJI (> J* (g^ debugger jDissembler SUI 

Dissembler 

cijUuiau ijijj ^jia^su -c ^jl±i3! J£Ja3! ^ ls^" 'c?3^J <^ ^ alia ^1 jJ3 lLjUuIxIII ijijj q^jxj Dissembler 

"GIF" ("-itiia j» screensaver j u] 6 J^-^^ cijf^ cs-^* ■^ a ^' l - j ^- juj jj^^ ^j^i3 (j-La^viui^N ^il ,iaj|^k ^ ^JU-a3I 

. jjill ^^Jc 11a c qmi^j IDA Pro .v^ wn^tt <Al\ \\\ ch\l±A^&\ ^ (j) C5 ic j-^^"^ Jjl^i 
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Debugger - 

jjUij .s^lj Sjlaa. (static analysis) Dissembler slJ lU^j aJ^Isj sbi y> Debugger 

4 -> B » a Dissembler ^c-^j Uuj t^jljjJiill ajL^c 

l_jc!^j3! ^jLL» <jI£ a *\ ikiLuji ^jjj t fla t ialajj djUa^jJI ^ djlcUaiil ^ t a! > "V till ^joij c _^j3I sbVI ^ IDA Pro 
cjLiajj plj^ Debugger cjULJI Dissembler '-^j** ^^klij sbl y> .(tamper resistance) 

<Jjfi ^j-o a iklLoLjj 4_x-£al_iJl 4j.uiL.uV1 4 j> jj^kjl (jjAa. 4jL^J IjA a I^Jjujj ^j) Liajl (j^J . JcLuball 4^x»^)i3l 4ixal£ 4jjj I^jII 

new C5^^ j ^jMI ( ; j*^ <jujLai ^Jaj <jl ^1 dujjjli ^jUt j ^aLkJI wizard ^W*^ cJ^-^> Cy* cIujjIj ^ jij 



\^ IDA: Quick j 



New Disassemble a new file 



Gq | Work on your own 



Pre vious | Load tr>e oldl diussembly 



Iv* Display -at startup 



.4jJJJ^J (JjLoJJ <i!3j cJ*^ j OK tjj* ^ 
I^Vt^ UJ^ J d'^£-^ <JjKl Asu Ajjlgjll <jujUja3l (jjjJajll 4 j-nnl 4jJajC j JJJJjll jb^-t 




Flow Chart ^ Graphs cij^ ^ 3^jU1! j-o djIj^VI -^j^ ^ View tjj^ 

.^■^jajj ^ jSl(zoom) ^ : m^^W ^ cr^' Graphs 
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■e EcK jump ggagdji 
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!71 a^_-CiZ 



] Output mt 



Time r -^j-^ 
IDfi 1.3 an a U,'9l-r 
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= ij— *^3, ]_20> nooes,. 16,5 1 edge segr-^nts, 3Q la crosengs 
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https://www.virustotaLcom : j^-a^ll 



^ B^ VirusTotal - Free Online Virus, . 

^ A https://www.virustotal.com 



' g | j Q " default-search. net 



Community Statis 



FAQ About 



■ English Join 



iSivirustotal 



VirusTotal is a free service that analyzes suspicious files and URLs and facilitates 
the quick detection of viruses, worms, trojans, and all kinds of malware. 



QFile ®URL Q. Search 



[ No We selected 



Maximum file size: 64MB 



By clicking 'Scan itf. you consent to our Terms of Service and allow VirusTotal t( 
share this file with the security community See our Privacy Policy for details 



S\ Blog | Twitter | B contact@virustotal com | ^ Google groups | ^ ToS | Privacy policy 
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Online Malware Analysis Services 

;^JU3| j^jll t^lc SjLjall jjLkJJ ^ jll ^^jll CljjljVl ^^^C CjUi^Jl (J^asu ^^Jj 

Anubis: Analyzing Unknown Binaries available at http://anubis.iseclab.org 

Avast! Online Scanner available at http://onlinescan.avast.com 

Malware Protection Center available at http://www.microsoft.com/en-in/default.aspx 

ThreatExpert available at http://www.threatexpert.com 

Dr. Web Online Scanners available at http://vms.drweb.com 

Metascan Online available at http://www.metascan-online.com 

Bitdefender QuickScan available at http://www.bitdefender.com 

GFI SandBox available at http://www.gfi.com 

UploadMalware.com available at http://www.uploadmalware.com 

Fortinet available at http://www.fortiguard.com 



(Countermeasures) SjLaaJI jjjIUJI 7.5 



.6^ j^3l j cjLuj jj^I 



(Virus Detection Methods) cjL^jj^) <-Li£J) jjla 

o^cla j ^a^ill cil^^xi j 6 jj jjjd^l j^-^- ^^-Sc ^ivna cJ^^ virus protector lS^*-^ < ; t>j i^q cjLuj jj^t ^ 

^jjj <!Luj j ^ijlj V ^t tit 6 JlixJ! 6 (suspicious one)^j^^ j^j cAsj^V^ ^J^^ ^j^^ 

j MyDoom *^ .o* jj^ tj^j^ 3 c5 ^^aVI jia^ (jj^j ^ La£ jjj^IVI ^jjJ^ J I 
^ ^j^^klouJl «th» ^ L-jji ^il (jl^j^ll .6j±kV( <j jVI ^ cIijjjjVI (^A^Ludx ^ ^jaxJI l-ll, W32.Novarg.A@mm 

CjLuu jj^ii) (jC' 7 LiiH a laJLujj ^llj j AjjV) cij^ull ^jjlai) J-ua5j 

(scanning) - 
(Integrity checking) ^> jL^ill 
(Interception) o^^j^^ 

(scanning) 

.(o 1 jj^ s <>uJI) (signature strings) j^^ lU^- if- 



https://www.facebook.com/tibea2004 
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jlajll JjS .a! jSVl C5J^VI dlLl&i t fl3lk^ (j-a Ijjj i uJ AjA^JI (j-a^Ull jli 4£jS jj3I Jc L_fljxj3l J) aALj^U 

..\iqYiH <JjIS c aLoJi J 5iiLk^ ^51 j* J Sa j^ j^3l a! j£Vl j/^j (j-*a^ii3l 4<jjj jj;ii31 a! j£l >^ Jl 
jbiklj(RAM) Jlj^t Jj^»j3I $j£ii J (virtual computer) cr^j j^j^ jW ^ <>aaAill 4 j^l JUU J - 
JjLoj jll (j-aai Liajl '"heuristic scanning" ^ .g-^j3l *Liai3l J U^tf ^j^a 2^ 

4-3 J^-^ CjLjI^JI (j>* lA JJC- jl JJ jjjd^l CjLuj JJ^ Jc- A3 j3l 4-^. jjuuuJI 

: j* jn^UU <Uuuj jit jpi 

(JjcaJ j3lj SAjA^J! CjLajjjjiill J 4_3jlg_!l SaL j3l A a^jlS <^13ij .4j (jjJj-a jjic- (jj^J (jl f^-^ ^j-a^lill «$♦ 

.JjjjoJ! J 4 a\\ (J^a^.l ji3l CjA^.1 ~\ l^Loai JjJaaVI (j-oS . Jtj U» (jlc jjoj ^aJ^I (J^a^.li3l (j^J 

(Integrity checking) <> jia^JI J_ 

*L<»!>ljaJl (j-^a^li (Jj^la (Jp> (JJJJJ^I <J ^ala C^^l JJ^^^ J^ 1 -^ ^3^>*-^ ^5 Jj£l ^ijJuJJ jJ ^aJJ ^CjUUill ^^^ic djI^J^ill ^J^^ 

,(jjjjjja (jc AjujIs L_aLi (j-«j <J^- (jc- ±±Ak t aLa ^Jj^iiill (j^j V Ail 4-iuiLuiVI *L<»^LaJ! ^a^II (j^ < . 

1 ^J>laJ ^^jll CjIj-UxjI) ^1 jjl AjA^J j <JjWl ^^ic Sj^lS ^^ill 4_^.ll<Jl ^Lq^Lq]) *Ld!>ljaJl ^j'q^ ^ (j* (J^axJ tilLiA (jli 4iilli £A 
.(JjJaJc (3^^ A-^^juj (j>» (jWill ^ CjLuj Jj;is3l A ^ °\ ^ ^ CjLljij (J^axj (j^ ^Q^J ^^ill j A-d^LaJl ^j'q^ ^ (jxi JJa cilLiA iLui jj^l 

,(jjj jj^l C-H 3 ^ A-iLoC Uiajl jnuin j 

(Interception) u^lj^l ^ 
/d^I jjia Vi>^i j (jiaidll (JA^is ciiji^u] interception cf-^j^^ ^hvimVI 
^1 j cjUI j^V^ cJ^' j> ^f*^i ^\ J jll cJ ^u ll fUaj jll djUlSall jj-ijun Interception 

jjjj (jl£ lij - ikiLaLAH J^jj ^llij \ ^.njj ^ kxj La s^lc interception 4< . ilk!! 11a lij .^^j^l Ijia^. s-j^j 

cjUuIsuII jl low-level code ^ SjJjU^ ^jjill (jialjiicV 1 ^UucVl tj^A 3 ^ .V ^! <*jtl<J! l-ALII ii^J 

(Virus And Worms Countermeasures) O'^'j ±* SjLaaJI j^SSSSS 

; Jj U c^L-V! 

/dAjA^. bUgS L ,fl J^^J ^'^^ (t>1 J^ ; ij^^A (JjjLojI Jc CjLujjjjiill *Lail^a ^^'^ 

.diLoj jj^l ^n/n Asu (j-aljSVI <il£J Aj^IslSI ^j^aaiH djUL^C 5J jAa. 
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^ s^lj Sj^ defragmentationj 'registry scanner 'disk clean up J^-^ 

.i_lb.njj.ii3 1 (JLll.lpgJ J j_ <_jsla3I Jc —jl a 

.£jf*Vl J s^l j $j* adware J (anti-spy ware)L>^^^ J^-^ 

.^jj^U \ fu \ ^ \ CD5j DVDS i> cS^' 

.<jU^JI jl^ ^l^kiojl j (pop-up blocker) <2ni<JI cj! jUaVI j^ 

,Ajjji3l <JjLojj3I jjc IgJL 0 jj ^jj CjliLJI ^ lj^> 



Companion Antivirus: Immunet 

http://wwwjmmunetxom/main/index.html : j^-a^ll 
<JL±\ aJLL tLAi^ajimmunet .s^j^jaJ! CjUjj^I <> ajU^JI Jjk jaljla Immunet yr^ Companion Antivirus 

qa ia^a Z50 J-^W c ftJu^J CAjoj JJ^l 4 ^ 9l £ a <J jla. l—la^a) ALd .(JixJl (j-a 4 t laj jj£I <J^j (j-a (jjj3l AjIa^JI ^ 

>L >bU aj^I^Vi Immunet 

s^jI jll <^uaull ^ v^im* .cloud engine j heuristics-based engine <SPEROj ETHOS ^£31 SjS Immunet 

.Cijj^VU X^lo jj^i V <jU^J! jajj ^ill j ^TETRA ^ ^ 




d^A ttilli AiLjaVU .Ajjjill cJj^J^I djUaj-d j SjjLualt j 6^jt jl! J jjj^IVI ^jJl cJj^J JJ^I ^^^jj ^ (J^al^Jl 

L_Lu£3l ^ajiJ I^qI^IuiI (j^-dJ CjLuj JJ^I ^ ^ 9l ^ ^ djIjJl (J^axJ Jj Uu3 j - Aj ; naJl ^\ lajulj^U A^JjaJl ^J^- ^-^^ J^ ^ J^V^ 



^ https://www.facebook.com/tibea2004 
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AVG Antivirus available at http://free.avg.com 

BitDefender available at http://www.bitdefender.com 

Kaspersky Anti-Virus available at http://www.kaspersky.com 

Trend Micro Internet Security Pro available at http : //apac . trendmicro . com 

Norton Anti-Virus available at http : / / www . Symantec . com 

F-Secure Anti-Virus available at http://www.f-secure.com 

Avast Pro Antivirus available at http : //www. avast . com 

McAfee Anti-Virus Plus 2013 available at http : //home . mcaf e e . com 

ESET Smart Security 5 available at http://www.eset.com 

Total Defense Internet Security Suite available at http://www.totaldefense.com 



(PENETRATION TEST) JljSWI yjfiL* 7.6 



m b^ jA\ j CjLuj JJ^I (jl J^-VI J^aJ CS"^ ^Jfllj &^>^ ^-joakll lifc jSjJ 



j* ^1 AjJa a£jjoJI jUlkV CjLg jlx-<JI La j3 j^ ^JjljlaVI jLiaJ e-l-^ j^f^ j cs^-^ diaaj^a) jl .ila 

j aSliA l^auJa cJj^-^ ^ jl-lpllj CjLoijjjill s-LJ ^Uaj .4_xdaixJl CjLg jlx-a (JJ^ jl L_atii jl j£-aJ ^^l jl.liJlj ClLaijjjill 
(iljj ,<£jjoJI AjLaa jl-la. JJ^J 6j^lS jl CjLuijjjill Aail^a ci^ j* L * a '* < ^ ^ j^ l^j L» (J^aJJj (cs^ S 

;c_ iLujjjjall AiJa JjljlaVI jL^aJ ^^>^V t — ^ J^*^ AiijJ < . iaj ;Jjljlia.l j;*^ a 

.JjljlaVI jLial ^^>^] ^tg-Jl ^^aHaia!! ^Uaill ^^ic j A£jjoi13 AjI^jII 4_f^l ^^-Sc ClAjoi JJ^I <a^lax ^c-gLjj ^nnl ( . laJ 

CjLuu jjjill 4_aiHa g-aljj :2 S jlaaJl <A 

t CAjujjjjfl]| <ail£j<> £tx»ljJ Clij ^3 jaj ^3 (jj .V ^al ^ (j^alaJl CjLuijjjill <ail£j<> £tx»ljJ lLlj laj ^jj jl£ lil Lo ^Jiaj 

. j^J ^aJ jl l^ii^. jl i U^^q <il3i jl£ lit ^^.^L^jj ' ^ ja^aJlj 

bjjj 4-jUx4]( cil*]! cil^j (safe mode) (>VI j-^ajJI ^1 ujU^II :5 SjkaJ) ± 

.Uj^j l-j! > ^i^ll c alftll c a>iaj j (safe mode) 0^*^^ ^>^> jJl lS^"^ jj^^ ^j) ^ ^ ^! 

'HijackThis 
/Ujj*ulaj*) registry ^Vl^^l j^ ^UaUl jri^ :7 SjIa^Jl 

jjU tillij ^Usll <aj m 4ji jj.ui.a11 registry ^Vl^^j jc tiL ^j^aLiJI ^Uaill ^j^ai ^ j>j 

.Regshotj 

j-uL^il jj^Ljll CjLaJ^ jc- ^UaUl (j^^ij ;8 S jlaSJt 
SrvMan >l j^» ^l.^ n>ib c^Uaj ^U^l ^ _iiL ^j^aLkSI ^Uaill ^^ic J-g*j ^jII jjJixJI jjibjll CjUi.ik (j-^aai ( . iaj 

.ServiWinj 



'What's Running 



JV Power Tools 



il jj| J 



^ https://www.facebook.com/tibea2004 
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'Starter ^lllj^l ^I^JjojU (j^aLkll ^Uaill ^^^ic (Jasu ^^jII jJjouJI ^ixjouII p*lJ (jC- (j^al^J! ^Uaill <j^a^3 ( . La>J 

. Jji^all p^ jj o^Autoruns j 'Security AutoRun 

< TRIPWIRE <FCIV lS^ flv^nnU t*Uij ^Lill <^*j .cj! ikJi j CjULJI Jia^M o-aUJI ^Lkjll p^jj J\ 4^ 

SIGVERIFj 

jl£ lil Uj^j ftJ^ j' TRIPWIRE CjIj^I <^j^JI Jj* Jail ^Ikj CjUIaj c_^!^i3l jl cj!1jAxj3I j- — -« >4'< ^ 

gJlUJI jp J :12 S jJaaJl 

4lt£L <jUa^l fUalll jjflaj : 14 S jkaJl 4- 



